XSS via uploaded XML
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mahara |
Fix Released
|
High
|
Son Nguyen | ||
1.10 |
Fix Released
|
High
|
Son Nguyen | ||
1.8 |
Fix Released
|
High
|
Unassigned | ||
1.9 |
Fix Released
|
High
|
Unassigned | ||
15.04 |
Fix Released
|
High
|
Son Nguyen |
Bug Description
Reported by Roman Mironov
Dear Sir/Madam,
I have found a security vulnerability and would like to disclose it to you.
An attacker can use this vulnerability to initiate stored Cross-Site scripting attacks on authenticated users.
Bug Description:
It is possible to upload .xml files with malicious code and then share them with users.
As proof of concept it was possible to share a file between accounts that redirects the user to google.com.
In order to reproduce this proof of concept please follow these steps:
Preconditions:
1) Ensure you have 2 accounts (user A and user B) that have access to each others Journal entries.
2) Create an .xml file that has the following line of code:
<script xmlns="http://
Steps to Reproduce:
1) Log-in as user A.
2) Navigate to /artefact/
3) Press the 'New Entry' button.
4) Enter any Title and Entry text.
5) Add the previously created .xml file as an attachment and press 'Save Entry'.
6) Log-in as user B.
7) Navigate to user A profile page.
8) Find the previously created Journal entry and press the 'Download' button next to the .xml file name.
9) Observe that you are redirected to google.
CVE References
information type: | Private Security → Public Security |
Changed in mahara: | |
status: | Fix Committed → Fix Released |
We need filter out all malicious codes in XML file like we do for HTML.