Skip to content
GitLab
    • GitLab: the DevOps platform
    • Explore GitLab
    • Install GitLab
    • How GitLab compares
    • Get started
    • GitLab docs
    • GitLab Learn
  • Pricing
  • Talk to an expert
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
    • Switch to GitLab Next
    Projects Groups Topics Snippets
  • Register
  • Sign in
  • rosariosis rosariosis
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributor statistics
    • Graph
    • Compare revisions
    • Locked files
  • Issues 15
    • Issues 15
    • List
    • Boards
    • Service Desk
    • Milestones
    • Requirements
  • Merge requests 0
    • Merge requests 0
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Artifacts
    • Schedules
    • Test cases
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Model experiments
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Code review
    • Insights
    • Issue
    • Repository
  • Wiki
    • Wiki
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • François Jacquet
  • rosariosisrosariosis
  • Issues
  • #307
Closed
Open
Issue created Jan 21, 2021 by Dustin Born@ra1nb0rn

XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter

Hi @francoisjacquet,

I found a way to bypass the XSS sanitization that appears to be used for MarkDown and some other fields in RosarioSIS. The vulnerability is present in the latest version. Details are described below.

XSS Filter Bypass in MarkDown and Other Fields Due to Usage of Outdated Filter

To prevent Cross-Site Scripting (XSS) attacks, user input from MarkDown and other input fields is filtered via the function xss_clean(...) as defined in the file classes/Security.php. As stated in the function's documentation:

This function and other functions that it uses are taken from Codeigniter 2.1.3 and modified them to our needs. In turn, I have taken this from JasonMortonNZ.

Consequently, any vulnerabilities contained in xss_clean(...) from CodeIgniter 2.1.3 and potentially later versions likely also affect the xss_clean(...) function as implemented in RosarioSIS. As an example, the vulnerability described at https://nealpoole.com/blog/2013/07/codeigniter-21-xss-clean-filter-bypass/ also affects RosarioSIS, meaning XSS is possible. To get an indication of the affected code, the command line tool grep can be used in the root directory of RosarioSIS like so:

grep -R "SanitizeHTML\|SanitizeMarkDown\|MarkDownToHTML\s*(.*)" --include="*.php" .

Proof of Concept

In this PoC, an admin user is used for simplicity. Note however, that because the vulnerable code is used at multiple locations throughout RosarioSIS' code, students or teachers may also be capable of exploiting this vulnerability within some other functionality. The exploitation steps are as follows:

  1. Log in as admin
  2. Go to http://rosariosis.local/Modules.php?modname=School_Setup/PortalNotes.php. Note that the domain name may have to be adapted to your setup.
  3. Create a new note with some title like "My XSS" and enter into the MarkDown input field for the note:
    <img src="a" onerror="eval(atob('cHJvbXB0KDEpOw=='));"
    The Base64 string simply encodes the payload prompt(1);
  4. Save the note
  5. The page refreshes automatically and the XSS payload is executed: rosariosis_xss Note that the XSS payload is stored persistently in this case.

Remediation

To fix the explicitly shown vulnerability and others inherited from the outdated CodeIgniter code, RosarioSIS' xss_clean(...) function should be updated to match CodeIgniter's latest implementation of the respective function. Further, plainly copying security-related code should be avoided as such code can become outdated and susceptible to known vulnerabilities already discovered in the original code. Rather, a mechanism to keep the "copied" code up to date and match the latest version of the orignal code should be used.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking