Quick Links XSS Code Allowed |
|||
|---|---|---|---|
| Date: | 03/16/2008 | Show-stopper?: | |
| Status: | Bug Squashed | Reporter: | quicksketch |
| Reported in Version: | EE 1.6.2 | Assigned To: | Derek Jones |
| Keywords: | Control Panel, My Account, | ||
| Support Thread: | |||
Details
Quick Links titles are not filtered for HTML or SCRIPT tags. This makes it possible for an administrator or unsuspecting user to have their quicklinks modified to include a XSS hack.
To reproduce:
- Go to CP -> My Account -> Extras -> Quick Links
- Enter in “Google[removed]alert(‘hello’)[removed]” into the title
- Enter “http://google.com” into the URL.
- Save
Now there is a quick link for “Google”, but it also executes the script contained in the title.
To make this more sneaky, you can open Firebug and remove the maxlength property on the title text field. Now you can enter in a link title followed by an entire script.
Comment on Bug Report
| Posted by: Paul Burdick on 16 March 2008 5:18pm | |
|
[ Permalink ]
Yes, HTML code can be put into this field. However, one must be a valid user who has access to the Control Panel and logged in. Further, they can only do it to their own Quick Links and it only accepts POST data so there is no way to do any manner of CSRF attack unless Secure Forms are turned off and the location of your CP is known. So, realistically, only someone who chose to put such code in there would cause a problem. Kind of like purposefully hitting your own toe with a hammer. Still, it is not intentional and I would rather not have someone complain that they can do this to themselves. Downgraded to Major. |