Cross Site Scripting (XSS) Backend & frontend

[Pegasus0xx]

Hey @proditis :wave: ,

There's a XSS has been found in the backend this vulnerability has been affecting the frontend.

Steps To Reproduce:

1. Go to 'http://localhost:8082/index.php?r=settings/experience/index'
2. Click on 'Create Experience'
3. Set Min Points 0
4. Set Max Points 10
5. Capture the request, change the "Experience[name]" param to ""
6. Click on 'Update'
7. You will see alert msg
8. Go to 'http://localhost:8080/profile/me'
9. You will see alert msg

PoC:

Best Regards, Pegasus

[proditis]

Experience names are allowed to include HTML tags (certain competitions require far more elaborate names such as with images). Experience levels are only maintained maintained by the administrators so this is intended for the frontend.

For the backend can you please try again with the fix from the previous issue and see if fixes it?

[Pegasus0xx]

it fixed 👍🏻

[proditis]

I leave this open since it exposed another issue with the backend Help widget which doesnt properly escape the model details.

[proditis]

A fix for this has been merged. Can you please confirm that the issue is fixed in the backend? fyi: the frontend stayed as is

[Pegasus0xx]

issue not fixed, there another issue after login to "echoCTF Management interface" you see alert msg

[Pegasus0xx]

[proditis]

I cant confirm the Experience issue, i think you managed to pull the images before the build completed :sob: terribly sorry about that, can you please pull again and check the experience issue?

I will address the dashboard on another PR.

[Pegasus0xx]

it fixed experience issue

[proditis]

Sorry closed by accident.

The fix for the dashboard XSS is merged, can you please pull updated images and confirm its fixed? :heart:

[Pegasus0xx]

The dashboard XSS has been fixed.