01483: XSS / CWE-79 in body search form

Summary: XSS / CWE-79 in body search form
Created: 2022-10-06 20:20
Status: Closed, fixed for 2.3.13
Category: Bug
Assigned:
Priority: 3
Version: 2.3.12
OS: ubuntu/nginx/php8

Description: openbugbounty reports an issue

 in the body search form, witch is vulnerable for XSS attack 
 https://www.openbugbounty.org/reports/2923193/

https://example.com/?rsd=</script><script>alert(document.domain)</script>

ends in:

<form class="wikisearch" action="https://example.com/" method="get">
<input type="hidden" name="rsd" value="</script><script>alert(document.domain)</script>">
<input type="hidden" name="action" value="search">
<input type="search" name="q" value="" placeholder="Search" class="inputbox searchbox" size="40">
<input type="submit" class="inputbutton searchbutton" value="Search in Wiki">
</form>

Please fix this issue and make sure, that the Wiki donĀ“t use in line Scripts, so that I can set a strict Content-Security-Police Header without using unsafe-inline policy. For example use nonce- or hashes for script elements if possible.

Thank you a lot If you have any questions feel free to contact me on twitter @lukystreik lukystreik

Thank you for this report but this doesn't appear to be a bug in the core PmWiki installation. Notably we don't have a hidden "rsd" field in the default search forms, nor in currently installed skins on this website. From the example, I suspect you have visited some website that uses PmWiki but has some local customization that has opened a vulnerability. Feel free to contact the owners of that specific website.

If, on the other hand, you found a genuine bug with the PmWiki core, please make a demonstration on this page, or the create pages in the Test group, so that we can reproduce it and review it. If you have any questions, do not hesitate to ask. If you prefer to discuss this privately, please email me at 5ko [snail] 5ko [period] fr. --Petko

I can reproduce the issue on your page. rsd is an example. You can name it, what you want. rsd is only an example. This issue takes in place, if you have a search form in page body. For example --lukystreik

Acknowledged, this is a bug, thanks, to be addressed ASAP today. --Petko

Fixed for 2.3.13, released today. Thanks again Lukystreik for helping improve the free/libre software. --Petko

Cool: great Support, Thanks Petko! I will rollout the lukystreik/volx-rz-pmwiki:2.3.13 docker image shortly on dockerhub

I have replied to your email, please let me know if I can assist further. --Petko

Hi petko, can you send me the mail again? my spam guard has discarded it. --lukystreik

Sent again; also below.

The fix consisted of encoding the special characters, instead of:

  value="<script>..."

there is now:

  value="&lt;script&gt;..."

which is not an active JavaScript and will not be executed.

The extra fields are added automatically because the pagelist/search functions rely on them to transmit data between searches, but there was indeed a bug that entities were not correctly escaped.

The fix is in the file scripts/pagelist.php on line 170.

Make sure all your files are updated, and look at the source code of the page -- using "Inspect element" gives the wrong impression.

Now, it is possible that I may have omitted something -- if so, please let me know how can I reproduce it. --Petko