[#32451] - Escape the private message to protect against xss
- Closed
- 23 Feb 2021
- Medium
- Build: staging
- # 32451
- Diff
- zero-24:messages_xss
User tests: Successful: Unsuccessful:
Pull Request for an issue reported to the JSST by DangKhai from Viettel Cyber Security
Summary of Changes
Escape the private message to protect against xss. We do not apply any script filters to messages written by superadministartors. So a super admin could send a message with a script tag to an non super-admin.
Testing Instructions
set the editor plugin to "none"
Send (as super user) a message with a script tag in the body to another backend user
login as that other user
notice that the script tag is triggered
apply the patch
notice that the script tag is now escaped
Actual result BEFORE applying this Pull Request
the script tag is executed
Expected result AFTER applying this Pull Request
the script tag is escaped
Documentation Changes Required
None
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Administration com_messages |
I have tested this item
Makes no sense.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32451.
Because its a super admin "hacking" their own users and there are many ways a super admin could do that without blocking this vector
Yes. I just would expect if someone gives a bad test result, he explains why.
Because its a super admin "hacking" their own users and there are many ways a super admin could do that without blocking this vector
Yes thats the reason it is handled here and not as security issue. But escaping the output (like we do in many other places) should not harm here too given that this also mitigates this kind of issues.
I have tested this item
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32451.
| Status | Pending | ⇒ | Ready to Commit |
Unset failed test as no results/reason provided.
RTC
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32451.
This should be closed, not set RTC
But escaping the output (like we do in many other places) should not harm here too given that this also mitigates this kind of issues.
Actually it will harm formatted message (bold, italic, tables etc.), if there any
This is no different to the rest of the CMS right? This shouldn't be different to e.g. the article body?
Sorry a superadmin can modify any file on the server so the attack vector against another super user doesn't makes much sense, he/she can even change the password of the other super user.
Beside that we do exactly the same on "all" editor fields (super user has super power).
I'm closing this. Thanks for the effort.
| Status | Ready to Commit | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-02-23 18:38:50 |
| Closed_By | ⇒ | HLeithner | |
| Labels |
Added:
?
?
|
||
I have tested this item✅ successfully on ad1c86e
Hint for other testers:
set the editor plugin to "none"in testing instructions has to be done in your user settings.This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/32451.