Many templates based on Astroid Framework use the getBodyClass() function to add classes to the body.
When using the payload ?task=">micustomhtml or ?layout=">mycustomhtml , we can break the html structure and show our custom message.
The "<" caracter can not be injected so we can't execute any javascript or css, but we can inject our message to other websites.
This problem is caused by an incorrect input filter in libraries/astroid/framework/library/astroid/Document.php getBodyClass() function():
$option = $app->input->get('option', '', 'STRING');
$view = $app->input->get('view', '', 'STRING');
$layout = $app->input->get('layout', 'default', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex
$task = $app->input->get('task', '', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex
$header = $params->get('header', TRUE);
$headerMode = $params->get('header_mode', 'horizontal', 'STRING');
$Itemid = $app->input->get('Itemid', '', 'INT');
Many templates based on Astroid Framework use the getBodyClass() function to add classes to the body. When using the payload ?task=">micustomhtml or ?layout=">mycustomhtml , we can break the html structure and show our custom message. The "<" caracter can not be injected so we can't execute any javascript or css, but we can inject our message to other websites. This problem is caused by an incorrect input filter in libraries/astroid/framework/library/astroid/Document.php getBodyClass() function(): $option = $app->input->get('option', '', 'STRING'); $view = $app->input->get('view', '', 'STRING'); $layout = $app->input->get('layout', 'default', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex $task = $app->input->get('task', '', 'STRING'); // Input filter shoud be 'ALNUM' or use custom regex $header = $params->get('header', TRUE); $headerMode = $params->get('header_mode', 'horizontal', 'STRING'); $Itemid = $app->input->get('Itemid', '', 'INT');