mahara-contributors team mailing list archive
-
mahara-contributors team
-
Mailing list archive
-
Message #63962
[Bug 1944633] Re: Stored cross site scripting in all "tags" input
For the security forum post:
Vulnerability type: XSS
Attack type: Local
Impact: Code execution
Affected components: The adding or displaying of tags on pages or content
Attack vectors: If a person creates a tag in a certain way then shares the page with others then when they view the page the tag can cause code execution.
Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and
21.10.0, certain tag syntax could cause code execution.
Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1944633
CVE reference: TBC
--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: mahara-contributors
https://bugs.launchpad.net/bugs/1944633
Title:
Stored cross site scripting in all "tags" input
Status in Mahara:
Fix Released
Status in Mahara 20.04 series:
Fix Committed
Status in Mahara 20.10 series:
Fix Committed
Status in Mahara 21.04 series:
In Progress
Bug description:
Hello again! In many places in Mahara it's possible to set "tags" for
specific objects. In each case the input field used to edit tags is
vulnerable to XSS. The attack pattern is to set the payload in a place
where it's likely someone else will come and edit later on. Group
pages seem like a good target as they seem likely to be edited as part
as someone's normal workflow.
1. Visit http://localhost:6142/mahara/group/edit.php and create a group
2. Go to the "Pages and Collection" page in the group, click "+ Add" and select "Page" in the pop up selection
3. Write "<script>alert(document.domain)</script>" in the "Tags" input and click on the element that shows up in the "autocomplete" dropdown to set the tag (The XSS will pop but at this point it's only self XSS)
4. Save the page
5. Invite another user to your group to be your victim by going to the Members tab and clicking the "send multiple invitations at once" link
Now if the invited user edits that page's settings the XSS will fire.
There are other "tags" input through the application where a similar
attack scenario would work.
Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N 7.7
I'm taking a guess here with the A:H/I:H and I didn't push too hard to
figure out the maximum impact, but the XSS should allow the attack to
read and modify any private data that belongs to the victim.
Let me know if you need anything else!
Dominic
To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1944633/+subscriptions