Contrib.social

DOM based Cross-site-scripting vulnerability by injecting JS into the 'message' parameter to the event handler.

Open on Drupal.org →
Created on 25 November 2024, about 2 months ago

Problem/Motivation

Webserver doesn't validate client-supplied data submitted to the event listener on the Integrations Report page.

Pen-testers was able to execute JavaScript in via a DOM based Cross-site-scripting vulnerability by injecting javascript into the 'message' parameter to the event handler.

Steps to reproduce

    2. Data is read from postMessageJSON and passed to jQuery.append.
    4. The pen-testers were able to inject use irrelevant tags like img, script etc into the 'message' parameter and those were visible in the integration report page.
    6. The event listener that receives the message does not validate the origin.
    8. It appears that the event listener that receives the message doesn't validate the "message" parameter data properly.

    Proposed resolution

    Added a check to ensure if any irrelevant code is injected in the message through img tag, script tag or any by php code the message is displayed as NULL. Also the message value should be sanitized by using library like DOMPurify to ensure that only safe HTML remains.

    🐛 Bug report
    Status

    Active

    Version

    2.0

    Component

    Code

    Created by

    shiag

    Live updates comments and jobs are added and updated live.
    Sign in to follow issues

    Comments & Activities

    contrib.social Blog FAQ Discussions
    Production build 0.71.5 2024