Closed NotsoanoNimus closed 1 year ago
@NotsoanoNimus, thanks for the article and pull request.
I am going to quote your article that gets to the meat of the bug:
This whole segment is a verbose way to say, “The ‘Organization’ and ‘Domain’ fields are 255-character data fields which are fully unsanitized when parsed from DMARC reports and are injected into the main dashboard page without a second glance. These raw strings can arrive from anyone because DMARC reporting mailboxes are by design public destinations.”
or to put it another way. Lesson learned.
I won't lie but I will have to read the "Exploitation" section of your blog post several times to fully understand the mechanics of the exploit but essentially the fix is to sanitize the html inputs for “The ‘Organization’ and ‘Domain’ fields. A very straightforward fix to a dangerous bug.
@techsneeze I see no reason not to merge this PR asap.
Resolve an issue where malicious XSS injected into the XML for
org_name
ordomain
values can anonymously target email admins accessing the PHP dashboard and execute arbitrary JavaScript remotely.A technical exploration is available on my blog.