Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored XSS in profile parameter #7

Open
fiammybe opened this issue Jan 30, 2021 · 0 comments
Open

Stored XSS in profile parameter #7

fiammybe opened this issue Jan 30, 2021 · 0 comments

Comments

@fiammybe
Copy link
Contributor

Link: https://hackerone.com/reports/1080689
Date: 2021-01-18 09:17:19 UTC
By: wezery0
Weakness: Cross-site Scripting (XSS) - Stored

Details:

Summary:

There is a Cross-Site Scripting vulnerability in the profile parameter - url

Testing setup :

ImpressCMS 1.4.2 running on PHP Version 7.2.24

Installed modules:

  • system ( version 1.4.2)
  • profile (version 2.4)

Vulnerable code example

The profile module contains a lack of validation of the parameters passed by the user when editing a profile.
File:
/htdocs/modules/profile/edit-user.php
Lines: 85-92
Vulnerable code example:

if (in_array($fieldname, $profile_handler->getUserVars())) {
						$value = $fields[$i]->getValueForSave($_REQUEST[$fieldname], $edituser->getVar($fieldname, 'n'));
						$edituser->setVar($fieldname, $value);
					}
					else {
						$value = $fields[$i]->getValueForSave((isset($_REQUEST[$fieldname]) ? $_REQUEST[$fieldname] : ""), $profile->getVar($fieldname, 'n'));
						$profile->setVar($fieldname, $value);
					}

In this code, the getValueForSave function is called, which has a lack of input data validation
File:
/htdocs/modules/profile/class/Field.php
Lines: 295-312
Vulnerable code example:

	public function getValueForSave($value, $oldvalue) {
		switch ($this->getVar('field_type')) {
			default:
			case "textbox":
			case "textarea":
			case "dhtml":
			case "yesno":
			case "timezone":
			case "theme":
			case "language":
			case "select":
			case "radio":
			case "select_multi":
			case "checkbox":
			case "group":
			case "group_multi": 
			case "longdate":
				return $value;

Steps To Reproduce:

###Plant an XSS payload

  1. Login to your account
  2. Edit your account via /htdocs/modules/profile/edituser.php and change website param to javascript:alert(1)

The request will look like this

POST /impress/htdocs/modules/profile/edituser.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 482
Cookie: <COOKIE>

login_name=impress&url=javascript%3Aalert%281%29&rank=7&submit=Save+changes&XOOPS_TOKEN_REQUEST=<TOKEN>&uid=1&op=save

###Fire an XSS payload

  1. Log as admin to system
  2. Navigate to user search from system module (/htdocs/modules/system/admin.php)
  3. Find previously edited user
  4. Click www button to fire XSS payload

Suggestions to mitigate or resolve the issue:

Add filtering of user input values, like the one used in the standard user editing functionality

#Additional participants
This vulnerability was found in collaboration with
https://hackerone.com/d3addog
please add him to this report, if it is possible.

Impact

Malicious attacker can potentially obtain sensitive information or make action on user behalf.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fiammybe