Bad Sanitization on "vtlib_purify" function leads to XSS in tsolucio/corebos
Aug 31st 2022
The whole project is using "vtlib_purify" for the sanitization of user inputs. It does a good job while stripping HTML tags like
<svg> etc. However, it allows
<a> tag and we can use
href attribute via changing
: character to
So, our final payload is
Proof of Concept
For example, the file "NewReport0" is using "vtlib_purify" for the "reportmodule" parameter and prints the user's input after sanitization. We can get the XSS using the payload above.
We can also get stored XSS in comments. Check the https://demo.corebos.com/index.php?module=Accounts&action=DetailView&record=87 , you will see a comment created by me that includes XSS.
This vulnerability leads to XSS on many cases (100+), because the whole project is using "vtlib_purify" for sanitization on user inputs.