Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stored XSS within article creation #253

Closed
prodigysml opened this issue Sep 22, 2017 · 7 comments
Closed

Stored XSS within article creation #253

prodigysml opened this issue Sep 22, 2017 · 7 comments
Assignees
@haruka-7
Labels
bug
Milestone
PluXml 5.8

Comments

@prodigysml
Copy link

A writer or the administrator can write javascript within the page, which can then be used to steal other user's session tokens (actually quite possible as the session token doesn't have HttpOnly enabled). Adding something like , in the article's content stores the payload on the server.
Then any user who visits the page is affected by the payload.

I would advise HTML encoding the user input and also setting the HttpOnly flag on the session token.
@bazooka07
Copy link
Collaborator

Yes.
By default, session.cookie_httponly is empty in php.ini.

useful link:
http://php.net/manual/en/session.configuration.php#ini.session.cookie-httponly

@fgeek
Copy link

fgeek commented Nov 11, 2017

I don't think it is a issue when administrator can input any JavaScript to the articles, but it's an issue that regular writer can do so or are all writers automatically fully trusted? Missing HttpOnly is separate issue, but should be fixed as well. This also affects Debian unstable.

@pluxml
Copy link
Collaborator

pluxml commented Dec 20, 2017

@bazooka07 as-tu une suggestion pour corriger session.cookie_httponly ?

@bazooka07
Copy link
Collaborator

Je n'ai pas fait d'essais mais a priori la fonction session_set_cookie_params devrait faire le job avec httponly=true.
http://php.net/manual/fr/function.session-set-cookie-params.php
En profiter pour régler lifetime qui par défaut est égal à 0. 1 à 2H pour rédiger un article devrait suffire.

@bazooka07
Copy link
Collaborator

bazooka07 commented Dec 20, 2017
edited
Loading

En complement du précèdent post, voici un article à lire:
https://phackt.com/xss-cors-csrf-partie-2-xss-cookies-session
Et donc, tester ceci :

<?php
const LIFETIME = 2 x 60 x 60; # secondes
session_set_cookie_params(LIFETIME, $plxAdmin->racine.'core/admin/', $_SERVER['SERVER_NAME'], isset($_SERVER["HTTPS"]), true);
?>

Autre lien intéressant:
https://php.earth/docs/security/intro
Voir en particulier "Directory traversal (path injection)". A rapprocher de la valeur de PLX_ROOT.
PLX_ROOT est à bannir de toutes les urls.
Autre souci : config.php ne devrait pas être à la racine du site. Le cacher dans le dossier core.

@NicoleG25
Copy link

Regarde que CVE-2017-1001001 assigné à cette vulnérabilité,

était-ce réparé?
@bazooka07

@haruka-7 haruka-7 self-assigned this Jan 2, 2020
@haruka-7 haruka-7 added the bug label Jan 2, 2020
@haruka-7 haruka-7 added this to the PluXml 5.8 milestone Jan 2, 2020
haruka-7 pushed a commit that referenced this issue Jan 2, 2020
@pedrocadete
FIX #253 Faille XSS session cookie
bb85da6
@haruka-7 haruka-7 mentioned this issue Jan 2, 2020
Merged
@haruka-7
Copy link
Collaborator

haruka-7 commented Jan 2, 2020

Hi @NicoleG25, I think we can have a first fix (PR #357) for the next PluXml release wich is planned for this week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@haruka-7 haruka-7

Labels
bug
Projects
None yet
Milestone
PluXml 5.8
Development

No branches or pull requests
5 participants
@fgeek @haruka-7 @bazooka07 @prodigysml @NicoleG25