Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#27196] - [4.0] While creating Article if a script payload is inserted via Burp-suite it's getting executing at user's end.

?
avatar Kaustubharas
Kaustubharas
2 Dec 2019

Steps to reproduce the issue

  1. Login to Joomla admin.
  2. Go to Articles and click on New to create a new Article.
  3. Enter Title
  4. In Article text Enter some text e.g. "This is a test article"
  5. Before saving start burp suite and then hit on save. The request will be captured by burp suite.
  6. Go to Burp suite and go to "Params" tab and change the article text from "This is a test article" to "<svg onload=alert(1)>" and click on "Forward" till the article gets saved.
  7. Now switch off the intercept on Burp suite and go to the joomla frontend and login with a user.
  8. And click on the articles menu to view the article.
  9. Once user clicks on article and the script gets executed.

Expected result

The article shouldn't get saved with the script tag.

Actual result

The article getting saved with the script tag and the script is getting executed on user side.

System information (as much as possible)

PHP 7.2
Joomla 4.0.0-alpha12-dev

avatar Kaustubharas Kaustubharas - open - 2 Dec 2019
avatar joomla-cms-bot joomla-cms-bot - labeled - 2 Dec 2019
avatar Kaustubharas Kaustubharas - change - 2 Dec 2019
The description was changed
avatar Kaustubharas Kaustubharas - edited - 2 Dec 2019
avatar Kaustubharas Kaustubharas - change - 2 Dec 2019
The description was changed
avatar Kaustubharas Kaustubharas - edited - 2 Dec 2019
avatar Kaustubharas Kaustubharas - change - 2 Dec 2019
The description was changed
avatar Kaustubharas Kaustubharas - edited - 2 Dec 2019
avatar Kaustubharas Kaustubharas - change - 2 Dec 2019
The description was changed
avatar Kaustubharas Kaustubharas - edited - 2 Dec 2019
avatar Kaustubharas Kaustubharas - change - 2 Dec 2019
The description was changed
avatar Kaustubharas Kaustubharas - edited - 2 Dec 2019
avatar SharkyKZ
SharkyKZ - comment - 10 Dec 2019

As far as I can tell, this only bypasses editor's client-side validation. If I had to guess you did this as a Super User and Super Users are actually allowed to insert Javascript in editor text by default (regarding server-side filtering).

I also tried this as Editor and it saved only <svg />. So server-side filtering seems to work fine.

avatar SharkyKZ
SharkyKZ - comment - 10 Dec 2019

Let's ask the experts @zero-24 @SniperSister.

avatar zero-24
zero-24 - comment - 10 Dec 2019

Exactly what @SharkyKZ said by default this is expected behavior for Super Users that no filtering is applied. You can review and change the setting in the "Text Filter" Options at the Global Configuration.

avatar joomla-cms-bot joomla-cms-bot - change - 12 Dec 2019
Status New Closed
Closed_Date 0000-00-00 00:00:00 2019-12-12 07:54:30
Closed_By joomla-cms-bot
avatar alikon alikon - change - 12 Dec 2019
Status Closed Expected Behaviour
Closed_By joomla-cms-bot alikon
avatar joomla-cms-bot joomla-cms-bot - close - 12 Dec 2019
avatar joomla-cms-bot
joomla-cms-bot - comment - 12 Dec 2019

Set to "closed" on behalf of @alikon by The JTracker Application at issues.joomla.org/joomla-cms/27196

avatar alikon
alikon - comment - 12 Dec 2019

expected behaviour

This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/27196.

Add a Comment

Login with GitHub to post a comment