FLUXBB 1.5.11 BLOG CROSS SITE SCRIPTING

[iznogoud59]

hello,

You know this : https://vuldb.com/?id.167059 ? it's fix for us with your version?

Thanks

[MioVisman]

Could it be a fake? I cannot reproduce the author's example on either the original FluxBB or FluxBB_by_Visman. Description: https://github.com/hemantsolo/CVE-Reference/blob/main/CVE-2020-35240.md Attempt to reproduce: https://fluxbb.org/forums/viewtopic.php?id=9829 (The link is valid only for users, not for guests.) The result is negative, there is no script, there is just text.

<h3>&gt;&#039;&gt;&quot;&gt;&lt;img src=x onmouseover =prompt(document.domain)&gt;</h3>
<div class="postmsg">
    <p>&gt;&#039;&gt;&quot;&gt;&lt;img src=x onmouseover =prompt(document.domain)&gt;</p>
</div>

P.S. Additional information: In FluxBB, user cookies are not accessible from javascript. The httponly flag is enabled by default. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#restrict_access_to_cookies

[MioVisman]

If the problem actually exists, then a quick fix is Content-Security-Policy https://content-security-policy.com/ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[hemantsolo]

Give me sometime. Currently I'm out of station, but it's not fake I will give you the video POC. When I tried it gave me a pop-up, you can even see my POC screenshot.

Thanks, Hemant Patidar

[MioVisman]

Thought out loud: Content-Security-Policy won't help much until all inline scripts and styles are moved to files (including scripts from input/button events).

[MioVisman]

A month has passed, but there is no confirmation of this vulnerability.

[MioVisman]

Close, this vulnerability is a fake.

When I tried it gave me a pop-up, you can even see my POC screenshot.

There is no screenshot in the description of the vulnerability: https://github.com/hemantsolo/CVE-Reference/blob/main/CVE-2020-35240.md

and https://github.com/hemantsolo/CVE-Reference/issues/1#issue-781799411