Stored XSS in lib/functions.php:1519

Question

Stored XSS in lib/functions.php:1519

scarvell opened this issue 7 years ago · 3 comments

Lower risk, given that an account requires access to be able to add/edit external links to store the XSS, but line 1519 of lib/html.php isn't sanitizing $tab['title'].

print "<li><a id='" . (isset($tab['id']) ? $tab['id'] : 'maintab-anchor-' . $i) . "' class='lefttab" .(isset($tab['selected']) ? ' selected':'') . "' href='" . $tab['url'] . "'>" . $tab['title'] . "</a></li>\n";

Although the title field in external_links is a varchar(20), we can get around that restriction by creating multiple tabs and using comment blocks to keep the XSS valid:

Create the first tab with title:
<script>alert(1)/*

Create second tab with title:
*/</script>

Tested against version 1.1.17

cigamit commented 7 years ago

Resolved.

Answer 1 · 2017-08-19T14:14:00.000Z

Agree, but we will fix it anyway.

Answer 2 · 2017-08-22T06:04:57.000Z

Please use CVE-2017-12978 for this issue.