Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site Scripting - XSS (reflected) in e[_itemcategory] request parameter #91

Open
blanderson22 opened this issue Dec 1, 2021 · 1 comment
Open

Cross-Site Scripting - XSS (reflected) in e[_itemcategory] request parameter #91

blanderson22 opened this issue Dec 1, 2021 · 1 comment

Comments

@blanderson22
Copy link

Describe the bug
Cross-site scripting vulnerability in parameter: e[_itemcategory] on the JBZoo search results page, accessed using JBZoo Search List module.

To Reproduce
Steps to reproduce the behavior:
The value of the e[_itemcategory] request parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The payload ihhas"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"bm1p9 was submitted in the e[_itemcategory] parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. The proof-of-concept attack demonstrated uses an event handler to introduce arbitrary JavaScript into the document.

Expected behavior
In most situations where user-controllable data is copied into application responses, cross-site scripting attacks can be prevented using two layers of defenses:

  • Input should be validated as strictly as possible on arrival, given the kind of content which it is expected to contain. For example, personal names should consist of alphabetical and a small range of typographical characters, and be relatively short; a year of birth should consist of exactly four numerals; email addresses should match a well-defined regular expression. Input which fails the validation should be rejected, not sanitized.
  • User input should be contextually encoded at any point where it is copied into application responses. All HTML metacharacters, including < > " ' and =, should be replaced with the corresponding HTML entities(< > etc.). JavaScript and CSS encoding needs to also be considered.
  • JavaScript Sanitization:
    In cases where the application's functionality allows users to author content using a restricted subset of HTML tags and attributes (for example, blog comments which allow limited formatting and linking), it is necessary to parse the supplied HTML to validate that it does not use any dangerous syntax; this is a non-trivial task.

Screenshots
Screen Shot 2021-12-01 at 10 47 11 AM

My system (please complete the following information):

  • JBZoo 4.12.0
  • Joomla 3.10.3
@fiction13
Copy link
Contributor

Hello!

Thanks, we will check it too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@blanderson22 @fiction13