[Mahara-contributors] [Bug 1404117] Re: XSS via uploaded XML

Tue, 07 Nov 2017 19:50:06 -0800 

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000140

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask 
on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1404117

Title:
  XSS via uploaded XML

Status in Mahara:
  Fix Released
Status in Mahara 1.10 series:
  Fix Released
Status in Mahara 1.8 series:
  Fix Released
Status in Mahara 1.9 series:
  Fix Released
Status in Mahara 15.04 series:
  Fix Released

Bug description:
  Reported by Roman Mironov

  
  Dear Sir/Madam,

  
  I have found a security vulnerability and would like to disclose it to you.

  An attacker can use this vulnerability to initiate stored Cross-Site
  scripting attacks on authenticated users.


  Bug Description:
  It is possible to upload .xml files with malicious code and then share them 
with users.

  
  As proof of concept it was possible to share a file between accounts that 
redirects the user to google.com.

  In order to reproduce this proof of concept please follow these steps:

  
  Preconditions:

  1) Ensure you have 2 accounts (user A and user B) that have access to
  each others Journal entries.

  2) Create an .xml file that has the following line of code:

  <script
  
xmlns="http://www.w3.org/1999/xhtml";>document.location='http://google.com';</script>

  
  Steps to Reproduce:

  1) Log-in as user A.

  2) Navigate to /artefact/internal/index.php and select Journal on the
  Navigation block.

  3) Press the 'New Entry' button.

  4) Enter any Title and Entry text.

  5) Add the previously created .xml file as an attachment and press
  'Save Entry'.

  
  6) Log-in as user B.

  7) Navigate to user A profile page.

  8) Find the previously created Journal entry and press the 'Download'
  button next to the .xml file name.

  9) Observe that you are redirected to google.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1404117/+subscriptions

_______________________________________________
Mailing list: https://launchpad.net/~mahara-contributors
Post to     : mahara-contributors@lists.launchpad.net
Unsubscribe : https://launchpad.net/~mahara-contributors
More help   : https://help.launchpad.net/ListHelp

Reply via email to