01483: XSS / CWE-79 in body search form
Description: openbugbounty reports an issue
in the body search form, witch is vulnerable for XSS attack https://www.openbugbounty.org/reports/2923193/
https://example.com/?rsd=</script><script>alert(document.domain)</script>
ends in:
<form class="wikisearch" action="https://example.com/" method="get"> <input type="hidden" name="rsd" value="</script><script>alert(document.domain)</script>"> <input type="hidden" name="action" value="search"> <input type="search" name="q" value="" placeholder="Search" class="inputbox searchbox" size="40"> <input type="submit" class="inputbutton searchbutton" value="Search in Wiki"> </form>
Please fix this issue and make sure, that the Wiki donĀ“t use in line Scripts, so that I can set a strict Content-Security-Police Header without using unsafe-inline policy. For example use nonce- or hashes for script elements if possible.
Thank you a lot If you have any questions feel free to contact me on twitter @lukystreik lukystreik
Thank you for this report but this doesn't appear to be a bug in the core PmWiki installation. Notably we don't have a hidden "rsd" field in the default search forms, nor in currently installed skins on this website. From the example, I suspect you have visited some website that uses PmWiki but has some local customization that has opened a vulnerability. Feel free to contact the owners of that specific website.
If, on the other hand, you found a genuine bug with the PmWiki core, please make a demonstration on this page, or the create pages in the Test group, so that we can reproduce it and review it. If you have any questions, do not hesitate to ask. If you prefer to discuss this privately, please email me at 5ko [snail] 5ko [period] fr. --Petko
I can reproduce the issue on your page. rsd is an example. You can name it, what you want. rsd is only an example. This issue takes in place, if you have a search form in page body. For example --lukystreik
Acknowledged, this is a bug, thanks, to be addressed ASAP today. --Petko
Fixed for 2.3.13, released today. Thanks again Lukystreik for helping improve the free/libre software. --Petko
Cool: great Support, Thanks Petko! I will rollout the lukystreik/volx-rz-pmwiki:2.3.13 docker image shortly on dockerhub
I have replied to your email, please let me know if I can assist further. --Petko
Hi petko, can you send me the mail again? my spam guard has discarded it. --lukystreik
Sent again; also below.
The fix consisted of encoding the special characters, instead of:
value="<script>..."
there is now:
value="<script>..."
which is not an active JavaScript and will not be executed.
The extra fields are added automatically because the pagelist/search functions rely on them to transmit data between searches, but there was indeed a bug that entities were not correctly escaped.
The fix is in the file scripts/pagelist.php on line 170.
Make sure all your files are updated, and look at the source code of the page -- using "Inspect element" gives the wrong impression.
Now, it is possible that I may have omitted something -- if so, please let me know how can I reproduce it. --Petko