xss bypass the sanitize in pbboard/pbboard-3.0.4

Valid

Reported on

Feb 2nd 2023

Description

hi,@maintainer.The filter you use to clean xss is unsafe.Please choose an xss filter with a large number of users and a high evaluation

Proof of Concept

1.Login to the forum as any user.

2.Send dangerous messages to admin users.

3.The value of the Message is below

<a/href="1"/ononclickclick="alalertert`you are hacked`">click me</a>

4.Admin users view the Message sent by the attacker.Click the link the attacker sent.

Impact

(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting

We are processing your report and will contact the pbboard/pbboard-3.0.4 team within 24 hours. 10 months ago
We have contacted a member of the pbboard/pbboard-3.0.4 team and are waiting to hear back 10 months ago
PBBoard Forum Software validated this vulnerability 10 months ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Christy__
10 months ago

Researcher

hi, @admin ,The bug has been fixed, but the maintainer told me that he had a 'commit sha not found in repository' when marking the report as fixed. Can you mark the report as fixed, thanks.And the commit is https://github.com/pbboard/PBBoard-3.0.4/commit/30a359be05e43d2bbfe9e5a9cc1368e0b23b59d5

Ben Harvie
10 months ago

Admin

I am able to mark the report as fixed with the SHA 30a359be05e43d2bbfe9e5a9cc1368e0b23b59d5 if you could ask the maintainer to try again or to confirm in the comments here and I can do it for them. Thanks!

Christy__
9 months ago

Researcher

hi, @admin ,I contacted the manager of the project through email, but he still couldn't mark this report successfully. the commit is https://github.com/pbboard/PBBoard-3.0.4/commit/30a359be05e43d2bbfe9e5a9cc1368e0b23b59d5 . You can also verify whether the vulnerability has been fixed .I hope you can help us, which is very important to me, thank you.

PBBoard
9 months ago

Maintainer

i still couldn't mark this report successfully.🤔

Ben Harvie marked this as fixed in 3.0.4 with commit 30a359 9 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 9 months ago
Ben Harvie
9 months ago

Admin

I've marked it as fixed on your behalf:)

to join this conversation