CVE-2021-44565: XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter (#307) · Issues · François Jacquet / rosariosis

Hi @francoisjacquet,

I found a way to bypass the XSS sanitization that appears to be used for MarkDown and some other fields in RosarioSIS. The vulnerability is present in the latest version. Details are described below.

XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter

To prevent Cross-Site Scripting (XSS) attacks, user input from MarkDown and other input fields is filtered via the function xss_clean(...) as defined in the file classes/Security.php. As stated in the function’s documentation:

This function and other functions that it uses are taken from Codeigniter 2.1.3 and modified them to our needs. In turn, I have taken this from JasonMortonNZ.

Consequently, any vulnerabilities contained in xss_clean(...) from CodeIgniter 2.1.3 and potentially later versions likely also affect the xss_clean(...) function as implemented in RosarioSIS. As an example, the vulnerability described at https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass/ also affects RosarioSIS, meaning XSS is possible. To get an indication of the affected code, the command line tool grep can be used in the root directory of RosarioSIS like so:

grep -R "SanitizeHTML\|SanitizeMarkDown\|MarkDownToHTML\s*(.*)" --include="*.php" .

Proof of Concept

In this PoC, an admin user is used for simplicity. Note however, that because the vulnerable code is used at multiple locations throughout RosarioSIS’ code, students or teachers may also be capable of exploiting this vulnerability within some other functionality. The exploitation steps are as follows:

1. Log in as admin

2. Go to http://rosariosis.local/Modules.php?modname=School_Setup/PortalNotes.php. Note that the domain name may have to be adapted to your setup.

3. Create a new note with some title like “My XSS” and enter into the MarkDown input field for the note:

   <img src="a" onerror="eval(atob('cHJvbXB0KDEpOw=='));"
   

   The Base64 string simply encodes the payload prompt(1);

4. Save the note

5. The page refreshes automatically and the XSS payload is executed: Note that the XSS payload is stored persistently in this case.

Remediation

To fix the explicitly shown vulnerability and others inherited from the outdated CodeIgniter code, RosarioSIS’ xss_clean(...) function should be updated to match CodeIgniter’s latest implementation of the respective function. Further, plainly copying security-related code should be avoided as such code can become outdated and susceptible to known vulnerabilities already discovered in the original code. Rather, a mechanism to keep the “copied” code up to date and match the latest version of the orignal code should be used.

To upload designs, you’ll need to enable LFS and have an admin enable hashed storage. More information