XSS Vulnerability on Modify Group Page

[aydinnyunus]

Summary

An authenticated malicious user can take advantage of a XSS vulnerability in the "Modify Group" feature in Admin

Steps to Reproduce:

• Login into the Admin panel
• Go to '/backend/groups/index.php'
• Add group with name '">
• Save group.

Impact

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application. Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server. Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the site, the user may be more likely to trust the request and actually install the malware. Defacement - attacker can deface the website using javascript code.

[aydinnyunus]

Summary

An authenticated malicious user can take advantage of a XSS vulnerability in the "Modify Group" feature in Admin

Steps to Reproduce:

• Login into the Admin panel
• Go to '/backend/groups/index.php'
• Add group with name '">
• Save group.

Impact

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application. Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server. Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the site, the user may be more likely to trust the request and actually install the malware. Defacement - attacker can deface the website using javascript code.

Add group with name : https://twitter.com/XssPayloads/status/1270944976705335296

Vulnerability affects all of the admin endpoints.

[webbird]

The group name is saved as \"\">

[webbird]

The group name is now escaped with htmlspecialchars(). Not a perfect solution, but good enough as backend access is required.