Closed balcsida closed 9 years ago
Hi,
Do you mind to elaborate how do you produce XSS vuln? I tried copy pasting, but nothing happened.
I'll try on an another web server, give me a little time
Sorry for the long wait, I'm retesting everything now
http://monstra-site/admin/"><script>alert(2188772)</script>'
Sometime it will show popup, sometime is not. I'm using IBM Rational AppScan
Tested this on https://demos3.softaculous.com/Monstra/admin Just got 404
You need to use IE with XSS filter off
—
Sent from Mailbox
On Thursday Jan 15, 2015 at 10:45, razuro notifications@github.com, wrote:
Tested this on https://demos3.softaculous.com/Monstra/admin Just got 404
Reply to this email directly or view it on GitHub: https://github.com/Awilum/monstra-cms/issues/344#issuecomment-70031939
Confirmed XSS is still a problem on monstra 3.0.1
Used IE:10 with XSS filter: off
http://www.domain.com/?"/><script>alert(980991);</script>"
PHP command that causes XSS:
<meta property="og:url" content="<?php echo Url::current(); ?>">
Result:
<meta property="og:url" content="http://www.domain.com/?"/><script>alert(980991);</script>"">
Problem with Gelato Lib:
public static function current()
{
return (!empty($_SERVER['HTTPS'])) ? "https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'] : "http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI'];
}
Solution:
public static function current()
{
return (!empty($_SERVER['HTTPS'])) ? Security::sanitizeURL("https://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']) : Security::sanitizeURL("http://".$_SERVER['SERVER_NAME'].$_SERVER['REQUEST_URI']);
}
Like: /monstra/?"onmouseover='prompt(980991)'bad="> /monstra/blog/hello-world">