search

developer-student-club-thapar / officialWebsite

The official website for DSC TIET official website made using Django and React
https://dsctiet.com
MIT License
25 stars 59 forks source link

reflected xss vulnerability #271

Closed divya16-bit closed 4 years ago

divya16-bit commented 4 years ago

Describe the bug A clear and concise description of what the bug is. the payloads entered in the input of chatbot field are reflected on the site. To Reproduce Steps to reproduce the behavior:

  1. Go to ' the chatbot input field'
  2. Enter ''
  3. Press enter.
  4. See error being reflected.

screenshot: image

This issue can be fixed by escaping the input entered by user. The Apache Commons Lang library provides several functions that are useful for escaping content. Download the libary.jar file and copy it to the lib folder in your web app directory.(in case of java code) here you can use escape().pass the content being entered by the user in the chatbot to the escape method and then proceed further with the chatbot processes.

welcome[bot] commented 4 years ago

Thanks for opening your first issue here! We are happy to have you on-board!

animesh-007 commented 4 years ago

I think we are planning to remove the chatbot from the site you can see the issue no #255.

jsparmani commented 4 years ago

Yeah, @divya16-bit thanks for bringing this to notice. We are aware of security issues in this bot and have planned to remove it as stated in #255

jaskeerat789 commented 4 years ago

But i think we should go on and patch this vulnerability as the same bot is being used in Thapar.edu. We can submit them the report mentioning the vulnerability and the patch. @jsparmani @divya16-bit

jsparmani commented 4 years ago

Yeah, sure we can report this further along with the patch to fix this. I think @paras55 and the team at AnalyticWare is handling the bot experience and they can look into this.

paras55 commented 4 years ago

The bug was already brought in notice to us by official people of Thapar and we have taken measures to prevent it . However it can cause no harm and we have checked it ourselves by trying various things.

But i think we should go on and patch this vulnerability as the same bot is being used in Thapar.edu. We can submit them the report mentioning the vulnerability and the patch. @jsparmani @divya16-bit

paras55 commented 4 years ago

Describe the bug A clear and concise description of what the bug is. the payloads entered in the input of chatbot field are reflected on the site. To Reproduce Steps to reproduce the behavior:

1. Go to ' the chatbot input field'

2. Enter  '<script>alert('XSS)</script>'

3. Press enter.

4. See error being reflected.

screenshot: image

This issue can be fixed by escaping the input entered by user. The Apache Commons Lang library provides several functions that are useful for escaping content. Download the libary.jar file and copy it to the lib folder in your web app directory.(in case of java code) here you can use escape().pass the content being entered by the user in the chatbot to the escape method and then proceed further with the chatbot processes.

Thank you for checking this and letting us know this vulnerability . We are on it and will soon stop this too. However , no harm in any way is caused to the website on which the chatbot is deployed onto.

divya16-bit commented 4 years ago

Yes,it's not harmful but still wanted you guys to know about it and correct it.That's all. Thanks for the responses!

On Wed, 23 Sep 2020, 19:44 paras55, notifications@github.com wrote:

Describe the bug A clear and concise description of what the bug is. the payloads entered in the input of chatbot field are reflected on the site. To Reproduce Steps to reproduce the behavior:

  1. Go to ' the chatbot input field'

  2. Enter ''

  3. Press enter.

  4. See error being reflected.

screenshot: [image: image] https://user-images.githubusercontent.com/56612080/93772320-586d0b00-fc3c-11ea-9e89-7d4fffb0bb80.png

This issue can be fixed by escaping the input entered by user. The Apache Commons Lang library provides several functions that are useful for escaping content. Download the libary.jar file and copy it to the lib folder in your web app directory.(in case of java code) here you can use escape().pass the content being entered by the user in the chatbot to the escape method and then proceed further with the chatbot processes.

Thank you for checking this and letting us know this vulnerability . We are on it and will soon stop this too. However , no harm in any way is caused to the website on which the chatbot is deployed onto.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/developer-student-club-thapar/officialWebsite/issues/271#issuecomment-697422390, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANP5J4GLSVIYUUIFEDJFJVLSHH7EZANCNFSM4RURDZNQ .

paras55 commented 4 years ago

Thank you so much :) This vulnerability has been removed from Thapar.edu as well as a pull request has been opened for the DSC Bot too with the updated version. Please let us know in case there are any more vulnerabilities.