Cross-site scripting vulnerability

esotalk / esoTalk

Fat-free forum software.

GNU General Public License v2.0

1.47k stars 239 forks source link

Cross-site scripting vulnerability #444

Closed fgeek closed 8 years ago

fgeek commented 8 years ago

Hello,

Cross-site scripting vulnerability has been announced in full disclosure mailing list.

According to this Curesec advisory timeline they were unable to contact you:

11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 Reminded Vendor of Disclosure Date (no reply)
12/21/2015 Disclosed to public

Issue can be reproduced with following URL:

http://localhost/esoTalk-1.0.0g4/conversations/a'";><img src=no onerror=alert(1)>?search=test

Do you have plans to fix this security vulnerability? If you do not plan to fix vulnerabilities in esoTalk please mention it in the README or similar, thank you. As far as I can tell this issue does not yet have CVE identifier assigned. Have you request it?

tobyzerner commented 8 years ago

Thanks for reporting this. I never got an email... my @esotalk.org address might be broken, I'll look into it.

fgeek commented 8 years ago

CVE request: http://www.openwall.com/lists/oss-security/2016/01/03/1

inliquid commented 8 years ago

What should I do to reproduce this? Tried on my 1.0.0g4 - doesn't work http://localhost/esoTalk-1.0.0g4/conversations/a'";><img src=no onerror=alert(1)>?search=test

inliquid commented 8 years ago

Sorry guys but I can't understand and reproduce the case you were fixing. Anyways - I have applied these changes.

However, I found another XSS bug (with the above commit in place).

fgeek commented 8 years ago

Good that you found more issues. @tobscure can you fix that one too?

I was also planning to perform security testing for esoTalk codebase when I have spare time in near future.

wkhayrattee commented 8 years ago

@fgeek thanks for all your good intentions @tobscure thank you for still looking into this..

A quick question btw for @tobscure

Did you use nested set model or adjacency model with the hierarchical data for esoTalk? (Sorry I tried emailing you as well, but in vain)

inliquid commented 8 years ago

This should help https://github.com/esotalk/esoTalk/compare/develop...inliquid:patch-1

tobyzerner commented 8 years ago

Thanks @inliquid

tobyzerner commented 8 years ago

@7php nested set model

wkhayrattee commented 8 years ago

awesome, thanks @tobscure !

fgeek commented 8 years ago

Tried on my 1.0.0g4 - doesn't work

@inliquid I was able to reproduce this cross-site scripting vulnerability without problems e.g. when using logged in administrator account.

inliquid commented 8 years ago

@fgeek maybe it wasn't working because of some of my plugins.

fgeek commented 8 years ago

@tobscure I have sent email to your Gmail address in your GitHub profile. Did you receive it?

fgeek commented 5 years ago

MITRE assigned CVE-2015-9285 for this issue.