-
-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug Report] Security issue XSS in error parameter #289
Comments
Oops that's bad! I will do a bug fix release soon. Thanks for catching this! |
@hkalexling thanks for tackling that quickly! 🎉 I would also suggest for the sake of users to publish a security advisory :) |
Thanks! It would be great if you could update the issue for any additional XSS vulnerabilities and create new tickets for other security issues. Oh, I didn't know it's a thing! I will look into it. By the way, I think the severity of this particular vulnerability is not high - the only way for it to work is for the attacker to craft the URL and trick the victim into opening it. Or maybe I am missing something? |
The attack is a client side attack but is definitely on the high severity side. Using simple And make the script call a remote attacker server with Because the attack builds on Meanwhile attacker gets admin access by using the session cookie. So in large yes, it's client side, but it's easy to weaponize and has high impact. I hope my explanation makes sense :) |
Yeah I agree. I didn't think about the psychological aspect of that, and it makes total sense. Thanks for your time in checking and explaining this, really appreciate it! |
@hkalexling Seems the username param is also vulnerable:
url: |
Sanitize parameters on user edit page (fixes #289)
Hi there! The issue has been fixed in v0.26.1. Thanks for the bug report! |
Describe the bug
In the Error entrypoint at
/admin/user/edit?error=error message
there is a lack of proper string sanitation allowing for an XSS (Cross Site Scripting) attack.While working on testing the https://github.com/NeuraLegion/sec_tester shard by integration to multiple projects I've found that there was a High severity issue in that parameter.
To Reproduce
Steps to reproduce the behavior:
/admin/user/edit?error=error message
error message
to%3CIFRAME+onMouseOver%3Dalert%28298311%29+src%3D%22javascript%3Aalert%28298311%29%3B%22%3E%3C%2FIFRAME%3E
298311
Expected behavior
The alert shouldn't be raised and the user should either not be allowed to control the error message, or if this is needed then string sanitation to remove all non alphanumeric values should be added.
Docker (if you are running Mango in a Docker container)
Additional context
There were other Low severity issues found and I haven't really covered much of the application with the tests, It might be worth to make a bigger scope check
The text was updated successfully, but these errors were encountered: