Mahara

Stored cross site scripting in all "tags" input

Bug #1944633 reported by Dominic
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.0
20.04
Fix Released
High
Unassigned
Mahara 20.04.5
20.10
Fix Released
High
Unassigned
Mahara 20.10.3
21.04
Fix Released
High
Unassigned
Mahara 21.04.2

Bug Description

Hello again! In many places in Mahara it's possible to set "tags" for specific objects. In each case the input field used to edit tags is vulnerable to XSS. The attack pattern is to set the payload in a place where it's likely someone else will come and edit later on. Group pages seem like a good target as they seem likely to be edited as part as someone's normal workflow.

1. Visit http://localhost:6142/mahara/group/edit.php and create a group
2. Go to the "Pages and Collection" page in the group, click "+ Add" and select "Page" in the pop up selection
3. Write "<script>alert(document.domain)</script>" in the "Tags" input and click on the element that shows up in the "autocomplete" dropdown to set the tag (The XSS will pop but at this point it's only self XSS)
4. Save the page
5. Invite another user to your group to be your victim by going to the Members tab and clicking the "send multiple invitations at once" link

Now if the invited user edits that page's settings the XSS will fire.

There are other "tags" input through the application where a similar attack scenario would work.

Suggested CVSS: AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N 7.7

I'm taking a guess here with the A:H/I:H and I didn't push too hard to figure out the maximum impact, but the XSS should allow the attack to read and modify any private data that belongs to the victim.

Let me know if you need anything else!

Dominic

CVE References

Revision history for this message
Dominic (dee-see) wrote :

I'm not sure if adding the Mahara Security team as subscribers after the creation of the ticket was enough to get you folks notified so here's another message to generate a notification :)

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

Hi Dominic,

It did help. We did get the initial info about the issue you reported. We will review it and get back to you within 10 business days.

Thank you
Kristina

Revision history for this message
Robert Lyon (robertl-9) wrote :

This issue looks to be related to the screen-readable text we add to the selector after the tag is entered in relating to deleting the tag.

Have begun a patch for this problem
https://reviews.mahara.org/#/c/12030/

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12125
Committed: https://git.mahara.org/mahara/mahara/commit/8f8fd43ed08e6c8ef614668ce84c269605ba3ca6
Submitter: Robert Lyon (<email address hidden>)
Branch: main

commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 14:22:30 2021 +1200

Security bug 1944633: Select2 dealing with bad characters

If we have something like <script>alert(document.domain)</script>
being put into a select2 field then selected, eg tags for a page, then
we need to escape the input so that the code isn't executed.

Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de
Signed-off-by: Robert Lyon <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.10_DEV" branch: https://reviews.mahara.org/12190

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12190
Committed: https://git.mahara.org/mahara/mahara/commit/756e4ccc7f56be3cf786e84506952987883696f9
Submitter: Robert Lyon (<email address hidden>)
Branch: 21.10_DEV

commit 756e4ccc7f56be3cf786e84506952987883696f9
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 14:22:30 2021 +1200

Security bug 1944633: Select2 dealing with bad characters

If we have something like <script>alert(document.domain)</script>
being put into a select2 field then selected, eg tags for a page, then
we need to escape the input so that the code isn't executed.

Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6)

Revision history for this message
Mahara Bot (dev-mahara) wrote : A patch has been submitted for review

Patch for "21.04_STABLE" branch: https://reviews.mahara.org/12191

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.10_STABLE" branch: https://reviews.mahara.org/12192

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Patch for "20.04_STABLE" branch: https://reviews.mahara.org/12193

Kristina Hoeppner (kris-hoeppner)
no longer affects: mahara/21.10
Robert Lyon (robertl-9)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/12193
Committed: https://git.mahara.org/mahara/mahara/commit/69097de77312844b2b48ac6846a249955ad18587
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.04_STABLE

commit 69097de77312844b2b48ac6846a249955ad18587
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 14:22:30 2021 +1200

Security bug 1944633: Select2 dealing with bad characters

If we have something like <script>alert(document.domain)</script>
being put into a select2 field then selected, eg tags for a page, then
we need to escape the input so that the code isn't executed.

Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6)
(cherry picked from commit 756e4ccc7f56be3cf786e84506952987883696f9)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12192
Committed: https://git.mahara.org/mahara/mahara/commit/d32f9c74d1a799c89632ae789e2da75b09adb32f
Submitter: Robert Lyon (<email address hidden>)
Branch: 20.10_STABLE

commit d32f9c74d1a799c89632ae789e2da75b09adb32f
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 14:22:30 2021 +1200

Security bug 1944633: Select2 dealing with bad characters

If we have something like <script>alert(document.domain)</script>
being put into a select2 field then selected, eg tags for a page, then
we need to escape the input so that the code isn't executed.

Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6)
(cherry picked from commit 756e4ccc7f56be3cf786e84506952987883696f9)

Revision history for this message
Robert Lyon (robertl-9) wrote :

For the security forum post:

Vulnerability type: XSS
Attack type: Local
Impact: Code execution

Affected components: The adding or displaying of tags on pages or content
Attack vectors: If a person creates a tag in a certain way then shares the page with others then when they view the page the tag can cause code execution.

Suggested description: In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, certain tag syntax could cause code execution.

Reported by: Dominic Couture
Bug report: https://bugs.launchpad.net/mahara/+bug/1944633
CVE reference: TBC

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/12191
Committed: https://git.mahara.org/mahara/mahara/commit/4fb5b8e728707e950afaf64c0c59a3c79803159e
Submitter: Gold (<email address hidden>)
Branch: 21.04_STABLE

commit 4fb5b8e728707e950afaf64c0c59a3c79803159e
Author: Robert Lyon <email address hidden>
Date: Thu Sep 23 14:22:30 2021 +1200

Security bug 1944633: Select2 dealing with bad characters

If we have something like <script>alert(document.domain)</script>
being put into a select2 field then selected, eg tags for a page, then
we need to escape the input so that the code isn't executed.

Change-Id: I64b8dbd3d6071e27584d8c5199b2eb35c803c9de
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 8f8fd43ed08e6c8ef614668ce84c269605ba3ca6)
(cherry picked from commit 756e4ccc7f56be3cf786e84506952987883696f9)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.