Bug #23555
closed
FORM content object is susceptible to XSS
Added by Helmut Hummel over 13 years ago.
Updated over 5 years ago.
Description
An editor can enter arbitrary JavaScript into a FORM content element, which gets executed in the frontend.
Exploit code below
(issue imported from #M15735)
Files
|
15735_trunk.patch (558 Bytes)
15735_trunk.patch |
|
Administrator Admin, 2010-12-02 20:29
|
|
|
15735_44.patch (500 Bytes)
15735_44.patch |
|
Administrator Admin, 2010-12-02 20:29
|
|
|
15735_43.patch (500 Bytes)
15735_43.patch |
|
Administrator Admin, 2010-12-02 20:29
|
|
|
15735_42.patch (500 Bytes)
15735_42.patch |
|
Administrator Admin, 2010-12-02 20:29
|
|
|
15735_v2_trunk.patch (903 Bytes)
15735_v2_trunk.patch |
|
Administrator Admin, 2010-12-09 19:52
|
|
|
15735_v2_44.patch (844 Bytes)
15735_v2_44.patch |
|
Administrator Admin, 2010-12-09 19:52
|
|
|
15735_v2_43.patch (844 Bytes)
15735_v2_43.patch |
|
Administrator Admin, 2010-12-09 19:52
|
|
|
15735_v2_42.patch (844 Bytes)
15735_v2_42.patch |
|
Administrator Admin, 2010-12-09 19:52
|
|
|
15735_42_v3.patch (779 Bytes)
15735_42_v3.patch |
|
Administrator Admin, 2010-12-09 20:42
|
|
|
15735_43_v3.patch (779 Bytes)
15735_43_v3.patch |
|
Administrator Admin, 2010-12-09 20:42
|
|
|
15735_44_v3.patch (779 Bytes)
15735_44_v3.patch |
|
Administrator Admin, 2010-12-09 20:42
|
|
|
15735_45_v3.patch (851 Bytes)
15735_45_v3.patch |
|
Administrator Admin, 2010-12-09 20:42
|
|
Exploit Code:
Put this in the content element FORM:
Name: | *name=input,40 | Enter your name here
Email: | *email=input,40
| formtype_mail=submit | Send form!
| html_enabled=hidden | 1
| subject=hidden | This is the subject
| fooar" /><script>alert(123)</script><input type="hidden" name="bazbaz=hidden | This is baz
The problem relies in the fact that the fieldname doesn't get HSCed.
- Status changed from Resolved to Closed
Also available in: Atom
PDF
Updated by 
Updated by