Stored Cross-site Scripting (XSS)

Question

Stored Cross-site Scripting (XSS)

prodigysml opened this issue 7 years ago · 3 comments

Issue Summary

Stored Cross-site Scripting (XSS) in page editor causing any author to get arbitrary javascript execution on the any viewer's browser.

Steps to Reproduce

Tell us how to replicate the problem.

Log in to a user with writer permissions
Choose to edit a blog post
Choose to embed a resource. A side panel will appear asking you for code.
Enter the following payload in the side panel: <IFRAME SRC="javascript:alert(1);"></IFRAME>, and save the blog.
View the blog and observe an alert box pop up.

Additional info

Leafpub version: 1.2.0-beta6
PHP version: 7.0
Affected browsers: All that can run javascript
Operating system: Ubuntu

Answer 1 · 2017-10-28T11:52:25.000Z

I don't understand your point. You'll be able to embed an iframe with javascript on your own site? Or a person you've allowed to write on your site is able to do that?

Answer 2 · 2017-10-28T11:58:01.000Z

Yes a person you have been able to write on your site is able to do that. The idea is, this can be used for denying service to other users and hijack other user's sessions by stealing their session tokens (as HTTPOnly is not set on them).

Answer 3 · 2017-10-28T12:07:30.000Z

Then you should choose your writers wisely.