Headline
CVE-2021-44565: XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter (#307) · Issues · François Jacquet / rosariosis
A Cross Site Scripting (XSS) vulnerability exists in RosarioSIS before 7.6.1 via the xss_clean function in classes/Security.php, which allows remote malicious users to inject arbitrary JavaScript or HTML. An example of affected components are all Markdown input fields.
Hi @francoisjacquet,
I found a way to bypass the XSS sanitization that appears to be used for MarkDown and some other fields in RosarioSIS. The vulnerability is present in the latest version. Details are described below.
XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter
To prevent Cross-Site Scripting (XSS) attacks, user input from MarkDown and other input fields is filtered via the function xss_clean(...)
as defined in the file classes/Security.php
. As stated in the function’s documentation:
This function and other functions that it uses are taken from Codeigniter 2.1.3 and modified them to our needs. In turn, I have taken this from JasonMortonNZ.
Consequently, any vulnerabilities contained in xss_clean(...)
from CodeIgniter 2.1.3 and potentially later versions likely also affect the xss_clean(...)
function as implemented in RosarioSIS. As an example, the vulnerability described at https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass/ also affects RosarioSIS, meaning XSS is possible. To get an indication of the affected code, the command line tool grep
can be used in the root directory of RosarioSIS like so:
grep -R "SanitizeHTML\|SanitizeMarkDown\|MarkDownToHTML\s*(.*)" --include="*.php" .
Proof of Concept
In this PoC, an admin user is used for simplicity. Note however, that because the vulnerable code is used at multiple locations throughout RosarioSIS’ code, students or teachers may also be capable of exploiting this vulnerability within some other functionality. The exploitation steps are as follows:
Log in as admin
Go to
http://rosariosis.local/Modules.php?modname=School_Setup/PortalNotes.php
. Note that the domain name may have to be adapted to your setup.Create a new note with some title like “My XSS” and enter into the MarkDown input field for the note:
<img src="a" onerror="eval(atob('cHJvbXB0KDEpOw=='));"
The Base64 string simply encodes the payload
prompt(1);
Save the note
The page refreshes automatically and the XSS payload is executed: Note that the XSS payload is stored persistently in this case.
Remediation
To fix the explicitly shown vulnerability and others inherited from the outdated CodeIgniter code, RosarioSIS’ xss_clean(...)
function should be updated to match CodeIgniter’s latest implementation of the respective function. Further, plainly copying security-related code should be avoided as such code can become outdated and susceptible to known vulnerabilities already discovered in the original code. Rather, a mechanism to keep the “copied” code up to date and match the latest version of the orignal code should be used.
To upload designs, you’ll need to enable LFS and have an admin enable hashed storage. More information