Reviewed: https://reviews.mahara.org/12190 Committed: https://git.mahara.org/mahara/mahara/commit/756e4ccc7f56be3cf786e84506952987883696f9 Submitter: Robert Lyon ([email protected]) Branch: 21.10_DEV
commit 756e4ccc7f56be3cf786e84506952987883696f9 Author: Robert Lyon <[email protected]> Date: Thu Sep 23 14:22:30 2021 +1200 Security bug 1944633: Select2 dealing with bad characters If we have something like <script>alert(document.domain)</script> being put into a select2 field then selected, eg tags for a page, then we need to escape the input so that the code isn't executed. Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de Signed-off-by: Robert Lyon <[email protected]> (cherry picked from commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6) -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: mahara-contributors https://bugs.launchpad.net/bugs/1944633 Title: Stored cross site scripting in all "tags" input Status in Mahara: Fix Released Status in Mahara 20.04 series: Fix Released Status in Mahara 20.10 series: Fix Released Status in Mahara 21.04 series: Fix Released Bug description: Hello again! In many places in Mahara it's possible to set "tags" for specific objects. In each case the input field used to edit tags is vulnerable to XSS. The attack pattern is to set the payload in a place where it's likely someone else will come and edit later on. Group pages seem like a good target as they seem likely to be edited as part as someone's normal workflow. 1. Visit http://localhost:6142/mahara/group/edit.php and create a group 2. Go to the "Pages and Collection" page in the group, click "+ Add" and select "Page" in the pop up selection 3. Write "<script>alert(document.domain)</script>" in the "Tags" input and click on the element that shows up in the "autocomplete" dropdown to set the tag (The XSS will pop but at this point it's only self XSS) 4. Save the page 5. Invite another user to your group to be your victim by going to the Members tab and clicking the "send multiple invitations at once" link Now if the invited user edits that page's settings the XSS will fire. There are other "tags" input through the application where a similar attack scenario would work. Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N 7.7 I'm taking a guess here with the A:H/I:H and I didn't push too hard to figure out the maximum impact, but the XSS should allow the attack to read and modify any private data that belongs to the victim. Let me know if you need anything else! Dominic To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1944633/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : [email protected] Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp
