Stored XSS in TinyMCE editor

Bug #1153423 reported by Hugh Davenport
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Hugh Davenport
1.5
Fix Released
Undecided
Unassigned
1.6
Fix Released
Undecided
Unassigned
1.7
Fix Released
Undecided
Unassigned

Bug Description

Reported by two independent researchers in different locations.

How to reproduce:
- Go to a page with a TinyMCE editor (such as /artefact/internal/ -> Introduction)
- Click the TinyMCE "HTML" button
- Enter payload of something like "<img src=x onmouseover=alert(1)>"
- Save page
- Reload, hover over broken image, notice the alert

The XSS is stored only for the editing part of the TinyMCE editor. I couldn't quickly find any location where
it was not escaped in the view section (which is blocktype dependant, the above example would be the
profileinfo blocktype from artefact/internal).

The fix is to escape the value sent to tinymce in lib/form/elements/wysiwyg.php, patch forthcoming.

The other location reported was in a new page, the "Page description" input. The same patch fixes this.

CVE References

Revision history for this message
Hugh Davenport (hugh-davenport) wrote :
Revision history for this message
Ahmad Ashraff (slumber1412) wrote : Re: [Bug 1153423] Re: Stored XSS in TinyMCE editor

Hey Hugh,
Thanks for that!

On Tue, Mar 12, 2013 at 5:15 AM, Hugh Davenport
<email address hidden>wrote:

> ** CVE added: http://www.cve.mitre.org/cgi-
> bin/cvename.cgi?name=2013-1426
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1153423
>
> Title:
> Stored XSS in TinyMCE editor
>
> Status in Mahara ePortfolio:
> Confirmed
>
> Bug description:
> Reported by two independent researchers in different locations.
>
> How to reproduce:
> - Go to a page with a TinyMCE editor (such as /artefact/internal/ ->
> Introduction)
> - Click the TinyMCE "HTML" button
> - Enter payload of something like "<img src=x onmouseover=alert(1)>"
> - Save page
> - Reload, hover over broken image, notice the alert
>
> The XSS is stored only for the editing part of the TinyMCE editor. I
> couldn't quickly find any location where
> it was not escaped in the view section (which is blocktype dependant,
> the above example would be the
> profileinfo blocktype from artefact/internal).
>
> The fix is to escape the value sent to tinymce in
> lib/form/elements/wysiwyg.php, patch forthcoming.
>
> The other location reported was in a new page, the "Page description"
> input. The same patch fixes this.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/mahara/+bug/1153423/+subscriptions
>

--
*Thanks,
@yappare
*

Son Nguyen (ngson2000)
Changed in mahara:
status: Confirmed → In Progress
Aaron Wells (u-aaronw)
Changed in mahara:
status: In Progress → Fix Committed
milestone: none → 1.6.4
milestone: 1.6.4 → none
milestone: none → 1.7.0
milestone: 1.7.0 → none
Revision history for this message
Aaron Wells (u-aaronw) wrote :
Revision history for this message
Aaron Wells (u-aaronw) wrote :
Aaron Wells (u-aaronw)
information type: Private Security → Public Security
Aaron Wells (u-aaronw)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers