search

getgrav / grav-plugin-admin

Grav Admin Plugin
http://getgrav.org
MIT License
355 stars 227 forks source link

Cross-Site Scripting (XSS) Vulnerability in grav-v1.4.8 #1498

Closed riteshgupta1993 closed 6 years ago

riteshgupta1993 commented 6 years ago

grav.pdf Grav-v1.4.8 Cross

Site Scripting (XSS)

• Grav version: 1.4.8 • PHP Version: 5.6.35 • Apache Version: 2.4.33 • Operating system: microsoft windows v1

Submitted by:

Author: Ritesh kumar

Email: aarush93fights@gmail.com

LinkedIn: https://linkedin.com/in/ritesh-kumar-57a11a13a Proof-of-Concept

Hello,

I would like to report a vulnerability that I discovered in grav-v1.4.8, which can be exploited to perform Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization in the "page title" parameter. The exploitation example below uses the alert() JavaScript function to display "32" as alert text.

Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source; the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.

Vulnerability Type:

Cross Site Scripting (XSS)

Vendor of Product:

Grav

Affected Product Code Base:

Grav (https://getgrav.org/downloads) - version 1.4.8

Affected Component:

http://127.0.0.3/admin/pages

Vulnerable parameter:

page title

Attack Type:

Remote

Attack Vectors:

Steps to reproduce the vulnerability:

1.Login to grav as admin user.

2.Open the URL

" http://127.0.0.3/admin/pages".

3.Click on Add button.

4.enter the malicious java script “> into “page title” parameter.

5.click on continue button and xss will be get executed and 32 will be reflected on the browser.

POC SCREENSHOT 1: Enter the malicious java script into the page title parameter and click on continue button. capture3 2: After clicking on continue button, the malicious java script payload will get executed and it will reflected on the browser. capture1

Reference: https://www.owasp.org/index.php/Crosssite_Scripting_(XSS) Author:
RITESH KUMAR PATCH http://www.ac-web.org/forums/showthread.php?203544-SECURITY-How-To-Patch-SQL-Injection-And-XSS-Vulnerability

rhukster commented 6 years ago

Thanks for the report. However, we consider the admin to be 'trusted' as this should only be provided to administrator or at least trusted content creators.

If this XSS vector could be accomplished without a valid administrator account, it would certainly be considered valid.