Fix Multiple Stored XSS in Administration allowing execution of arbitrary JavaScript code

[noobpk]

The data generated from Administration when rendering in FE lacks escape:html from which it can execute arbitrary javascript code.

Fix bug stored xss - Data when render on FE allows execution of arbitrary javascript code

Disclosure: https://huntr.dev/bounties/cc5c6cdd-8030-4eb1-af75-947780ee12e0

[vladsf]

Hi, I have a few questions:

1. Is there a more elegant way to do |escape:"html"? Without postfixing every output value? May be one liner at template initialization level? Also "html" is the escape default. No need to put it explicitly.
2. Does |escape:"html" support UTF-8 and various Latin charactes without converting them to html entities? Have you tested that?

[noobpk]

Hi, I have a few questions:

1. Is there a more elegant way to do |escape:"html"? Without postfixing every output value? May be one liner at template initialization level? Also "html" is the escape default. No need to put it explicitly.
2. Does |escape:"html" support UTF-8 and various Latin charactes without converting them to html entities? Have you tested that?

Well, You can process special values in user input on the BE side before storing it, or use the htmlspecialchars() class in PHP to process the output on the FE side.

Like in laravel framework I am using just use {!! !!} to clean the output.

I tried with natural characters and it seems to work fine.

[vladsf]

smarty docs is down now. Can't check what html does.
Have you looked at class Template_Helper? This class serves all the templates it might make sense to fix the class than the all templates.

[glensc]

Smarty does not have an automatic escape. So have to place everywhere escape.

The alternative of escaping in code before feeding to template, is very horrible idea, as must escape at for the context where the data is output, and using proper method. For example in html link context, you do urlencode, in html text you do htmlescpecialchars in javascript you do json_encode, get the point?

I had some crazy ideas to replace Smarty with Twig, even found some form of converters, but never finished it. found the branch from Oct 2016:

• https://github.com/glensc/eventum/tree/experiment/twig

[vladsf]

Google says different: Smarty do it by default by setting $default_modifiers field for Smarty object e.g. $smarty->default_modifiers = array('escape:"html"');

I got the point. Yet html does not do htmlescpecialchars. htmlall might do. Need to check with the docs though.

[glensc]

In any case, we can't do default_modifiers, we end up escaping twice. and end up escaping were not needed (for example json). if you want to do default_modifiers you should do templates from scratch. but when you do that, switch to a different engine already ;)

[vladsf]

Ook.

[noobpk]

@glensc I was found a new point that can trigger xss in

eventum/templates/select_project.tpl.html

Line 43 in 062389e

<label class="project_label" for="project_{$prj_id}">{$project}</label>

How I update commit to this PR.

[glensc]

How I update commit to this PR.

Add another commit.

or did you run to some errors? you may need git pull --rebase if you used GitHub to commit suggestions.

[glensc]

The flow of pull request should be:

1. make an initial proposal
2. if from review becomes need to make more changes, add more commits
3. once the review is passed and ready for merge
4. do final git rebase to squash commits, fixup commits, correct commit messages
5. merge

I can do 4&5 myself, if it's too difficult for typical contributor.

[noobpk]

The flow of pull request should be:

1. make an initial proposal
2. if from review becomes need to make more changes, add more commits
3. once the review is passed and ready for merge
4. do final git rebase to squash commits, fixup commits, correct commit messages
5. merge

I can do 4&5 myself, if it's too difficult for typical contributor.

^^ . When my PR is ready but i don't find any button to merge it

[glensc]

@noobpk you can't do "5", you're not maintainer here.

also:

• 3.1 maintainer approves merge request to indicate changes are ok
• 4.1 contributor marks merge request ready (removes draft state) to indicate they don't plan to add more changes

[noobpk]

@glensc Did you receive an email for my report? :D

[glensc]

@noobpk you mean email that you pushed one more commit?

• fa44355 (#1260)

[glensc]

@noobpk you haven't responded to all review notes:

• Fix Multiple Stored XSS in Administration allowing execution of arbitrary JavaScript code #1260 (comment)

[noobpk]

@noobpk you mean email that you pushed one more commit?

• fa44355 (#1260)

Ah no. It mean email from huntr for this bug. https://huntr.dev/bounties/cc5c6cdd-8030-4eb1-af75-947780ee12e0/

[noobpk]

@noobpk you haven't responded to all review notes:

• Fix bug Multiple Stored XSS in Administration #1260 (comment)

Ah sorry, I'm a little confused in the manipulations with PR. ^^

[glensc]

@noobpk you haven't responded to all review notes:

• Fix bug Multiple Stored XSS in Administration #1260 (comment)

Ah sorry, I'm a little confused in the manipulations with PR. ^^

seems you only applied the suggestion, didn't change the title.

[glensc]

@noobpk also, when you're done with your changes, remove Draft!

[noobpk]

@noobpk also, when you're done with your changes, remove Draft!

It mean I make PR is ready for review , right?

[glensc]

https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/proposing-changes-to-your-work-with-pull-requests/about-pull-requests#draft-pull-requests

[vladsf]

I had some crazy ideas to replace Smarty with Twig, even found some form of converters, but never finished it. found the branch from Oct 2016:

Thanks. I have quickly looked at Twig and Smarty. I feel like they are on par. They both get commits, has PHP8 support.

[vladsf]

I checked with the docs: "html" modofier is the default. The code changes might be optimized from |escape:"html" to simply |escape

[glensc]

@noobpk don't add merge commits to the merge request, rebase instead! also when you're done with changes, remove draft state.

[glensc]

I checked with the docs: "html" modofier is the default. The code changes might be optimized from |escape:"html" to simply |escape

no need for this, |escape:"html" is fine. if you really want to do it, do it as a separate PR for all templates after this one is merged.

[noobpk]

@noobpk don't add merge commits to the merge request, rebase instead! also when you're done with changes, remove draft state.

Oke, I've searched all possible places to trigger xss

[glensc]

since you ignored multiple requests to rebase, I'm going to rebase myself. in fact, since the commits have the same commit message, I'm going to squash merge to a single commit.

[glensc]

@noobpk do you have more bugs in your queue or I'll make a release now?

[noobpk]

@noobpk do you have more bugs in your queue or I'll make a release now?

Well, Currently for your repo it's not.

[noobpk]

since you ignored multiple requests to rebase, I'm going to rebase myself. in fact, since the commits have the same commit message, I'm going to squash merge to a single commit.

Thank you for being patient with me. ^^!! . I'm so noob with Github

[glensc]

There's shame in that you can't do things, just discarding because you don't understand is not that okay. As for the other end of the reading the discussion on the pull request, I do not know, if you are working on a thing, or you discarded it because didn't understand.

[noobpk]

There's shame in that you can't do things, just discarding because you don't understand is not that okay. As for the other end of the reading the discussion on the pull request, I do not know, if you are working on a thing, or you discarded it because didn't understand.

Thanks for your feedback. I will try harder. ^^!!

[noobpk]

@glensc Hi, you are valided the report but not valided the occurences and my fix 😅😅.

[glensc]

@noobpk I don't understand what do you mean.

[noobpk]

@noobpk I don't understand what do you mean.

Ah, I see you have validated this report https://huntr.dev/bounties/cc5c6cdd-8030-4eb1-af75-947780ee12e0
But you are not validated the occurences and award the fix bounty

[glensc]

making eventum release takes time, had to wait for Travis to finish the CI job.

[glensc]

Patch confirmed! 🎉

[noobpk]

Patch confirmed! 🎉

Is the occurences validated.

Example

The huntr will pay for me 1$ on one occurence validated.

[glensc]

again, don't understand, I marked as fixed and pointed to a commit. That was fine for previous reports

Status: Fixed

[noobpk]

again, don't understand, I marked as fixed and pointed to a commit. That was fine for previous reports

Status: Fixed

Did you see the occurrences section of my report?

It here

And if you confirm these occurrences are valid then I get a little extra bounty from the hunter. If you can't find it I'll ask admin for help. ^^!!

[glensc]

I see the occurrences, but they are just links. I think all of them got validated when I picked validate from right side. and I any case, if status is fixed, then prior were also validated.

[noobpk]

I see the occurrences, but they are just links. I think all of them got validated when I picked validate from right side. and I any case, if status is fixed, then prior were also validated.

I think so too but currently huntr is making it separate and sometimes the maintainer doesn't know. :((

Anyway, thanks for validated it ^^!!

[glensc]

I now see them all validated after fix-released event. perhaps it's automatic, perhaps it's automata with a human.