CVE-2022-39839: Stored XSS on forum · Issue #1661 · Cotonti/Cotonti

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

delyura opened this issue

Aug 30, 2022

· 4 comments

Closed

Stored XSS on forum #1661

delyura opened this issue

Aug 30, 2022

· 4 comments

Assignees

Comments

Hello, we found the stored xss on forum.
Tested on latest version 0.9.20.
Poc:

1. Create new topic with poll

2. XSS execute

This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

Alex300 added a commit that referenced this issue

Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

<script> tags are disabled in HTMLPurifier for admins too

<script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

but the payload <img src=x onerror=alert(1)>

Really? I can’t reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

2 participants