php-kchat / kchat

PHP Based Live Chat Aplication
https://github.com/php-kchat/kchat
148 stars 48 forks source link

XSS vulnerabilities #9

Closed ErikMichelson closed 3 years ago

ErikMichelson commented 3 years ago

KChat does not sanitize user-input at all but stores it into the database and renders it to HTML again without sanitizing. This leads to some cross-site-scripting vulnerabilities where users or other administrators may enter malicious content (like HTML-content containing JavaScript) into form-fields which then get evaluated inside the admin panel.

The less serious thing: If you've got multiple persons with admin access and one wants to "attack" the other admins, they could abuse the SMTP-configuration page and insert prepared HTML content there. A proof-of-concept would look like this:

"/><script>alert('xss')</script><img src="https://dummyimage.com/600x400/fff/000.png&text=This+page+has+been+hacked!

After inserting the string above into the "SMTP Host" field and storing the changes, the page will execute the script and render the image on every page load.

image

This is not that of a critical issue, as it only could be initiated by admin users and in general you might trust your other admin users.

The more critical issue lies in the verification page for new users. New users may freely change their firstname and lastname to any value that is 20 chars or less long. Although it sounds quite hard to find such a small payload, there are actually some like the following one.

Just enter the following code in your firstname field.

<script src=//㎠.㎺ />

The impact of this is that administrators navigating to the user management page as well as other users chatting with this malicious user, would execute that script instead of displaying a first name. This means that any person who knows a valid verification link can perform this attack and for example do actions in behalf of another user.

For mitigation, I'd recommend to always use the PHP-function htmlspecialchars or even better in combination with strip_tags for every place where you need to render user input.

GaneshKandu commented 3 years ago

Please check if its working

ErikMichelson commented 3 years ago

It seems that the two XSS vulnerabilities are fixed with your latest commit/version.