search

techsneeze / dmarcts-report-viewer

DMARC Report Tool for use with rddmarc or dmarcts-report-parser (formerly imap-dmarcts)
http://www.techsneeze.com/dmarc-report/
GNU General Public License v3.0
192 stars 56 forks source link

CVE-2023-34796 -- XSS: Escape Raw HTML in Outputs #88

Closed NotsoanoNimus closed 1 year ago

NotsoanoNimus commented 1 year ago

Resolve an issue where malicious XSS injected into the XML for org_name or domain values can anonymously target email admins accessing the PHP dashboard and execute arbitrary JavaScript remotely.

A technical exploration is available on my blog.

jnew-gh commented 1 year ago

@NotsoanoNimus, thanks for the article and pull request.

I am going to quote your article that gets to the meat of the bug:

This whole segment is a verbose way to say, “The ‘Organization’ and ‘Domain’ fields are 255-character data fields which are fully unsanitized when parsed from DMARC reports and are injected into the main dashboard page without a second glance. These raw strings can arrive from anyone because DMARC reporting mailboxes are by design public destinations.”

or to put it another way. Lesson learned.

I won't lie but I will have to read the "Exploitation" section of your blog post several times to fully understand the mechanics of the exploit but essentially the fix is to sanitize the html inputs for “The ‘Organization’ and ‘Domain’ fields. A very straightforward fix to a dangerous bug.

@techsneeze I see no reason not to merge this PR asap.