Octobercms v3.5.15 has a Reflective XSS vulnerability

Question

Octobercms v3.5.15 has a Reflective XSS vulnerability

Hebing123 opened this issue 8 months ago · 3 comments

Description
Octobercms v3.5.15 has a reflection XSS vulnerability in the Laravel error page, allowing attackers to execute arbitrary front-end code on the page.
The XSS vulnerability is the result of Laravel error output existence question, the vulnerability in any leads to frame error scenarios, such as
http://[ip:port]/resize/3ba89c8245f19a59f1f41d754f71027%3Cisindex%3E%3Csvg%20onload=alert(document.cookie)%3E
http://[ip:port]/index.php/combine/%3Cisindex%3E%3Csvg%20onload=alert(document.cookie)%3E

Vulnerability recurrence requirements
The vulnerability occurs in the default configuration, where the APP_debug mode has not been manually changed to false by the administrator.

Proof of Concept
http://[ip:port]/combine/;%3Cisindex%3E%3Csvg%20onload=alert(document.cookie)%3E

Impact
A user or administrator accessing a page containing malicious code that the attacker maliciously constructed can cause the cookie to be acquired by the attacker.

Answer 1 · 2024-02-07T07:12:40.000Z

Hi @Hebing123

This is debug information. Turn off debug mode (APP_DEBUG=false) before testing further.

Please also review the security policy for important information about disclosure: https://github.com/octobercms/october/security/policy

Best regards

Answer 2 · 2024-02-07T10:59:46.000Z

Hello @daftspunk ,
I don't agree with you.
The debug mode of Octobercms is enabled by default, which means it needs tobe manually disabled by the administrator. There is no question that if you do not turn off debug mode manually, you will create reflective XSS vulnerabilities.

For example, CVE-2021-3129, this vulnerability is occurring in Laravel Debug mode, Do you think it is harmless?? This is clearly unreasonable.
Laravel does not have Debug enabled by default, and Laravel in Octobercms has debug mode enabled by default.

I found many Octobercms production environments online with debug mode enabled.So this is a vulnerability worth fixing, it has some harm.

Repair method:

Change the error output mode of Laravel and filter the string in the uri.
The debug mode is disabled by default.

Answer 3 · 2024-02-07T20:25:27.000Z

Hi @Hebing123

I've taken note of this.

The application default settings are based on Laravel.

In modern versions, there are several system warnings displayed in the admin panel when a system is not configured for production. There is a section dedicated to production configuration in the documentation.

Please follow the correct procedures in the future.

Thank you.