XSS Stored inside help links onevent attribute in glpi-project/glpi

Valid

Reported on

Nov 3rd 2022


📜 Description

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

In your application, XSS occurs when an administrator injects an XSS payload inside the Simplified interface help link and/or Standard Interface Help Link.

🕵️ Proof of Concept

Use an admin account to inject an help link

Payload used :

' onfocus='print()

If an admin focus the element, the XSS will be executed !

🚧 Impacts

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise.

Example of impacts :

  • Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false).
  • Redirecting the user to some other page or site (like phishing websites)
  • Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
  • Automatically download malicious files.
  • Requests access to the victim geolocation / camera.
  • ...

📚 References

Impact

🔐 Mitigations

For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does not go through this process is a potential weakness. Frameworks make it easy to ensure variables are correctly validated and escaped or sanitised. In PHP, you can use the htmlspecialchars function to sanitize variables.

As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur or Web Application Firewall (WAF).

To fix the vulnerability, you can use the function isValidWebUrl($url) from Toolbox.php.

References

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a year ago
xanhacks modified the report
a year ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
We have sent a follow up to the glpi-project/glpi team. We will try again in 4 days. a year ago
We have sent a second follow up to the glpi-project/glpi team. We will try again in 7 days. a year ago
Alexandre Delaunay validated this vulnerability a year ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
xanhacks
a year ago

Researcher


Hello, have you already created the GHSA (security issue on Github) ?

xanhacks
a year ago

Researcher


@maintainer any update ?

Cédric Anne
a year ago

Maintainer


https://github.com/glpi-project/glpi/security/advisories/GHSA-qqqm-7h6v-7cf4

Cédric Anne marked this as fixed in 10.0.6 with commit e3be02 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
to join this conversation