Admin Panel XSS

Description

There’s a few reflected and stored XSS in the admin panel caused by insufficient user input XSS filtering (only looking for `<script>`).

Reflected XSS in search query: http://localhost:8888/lucee/admin/server.cfm?action=admin.search&q="%20><img%20src=""%20onerror="alert(1)">

Stored XSS in mapping Resource field:

Environment

None

Activity

Show:
Pothys - MitrahSoft
September 4, 2020, 3:55 PM

I've checked this ticket and confirmed the issue happened on lucee latest version 5.3.8.58-SNAPSHOT also.The issue happened in all the input fields. So I've added validation for the input fields.

Pull request: https://github.com/lucee/Lucee/pull/1023

Zac Spitzer
September 4, 2020, 4:33 PM

I disagree with this approach, admin already has

https://github.com/lucee/Lucee/blob/5.3/core/src/main/cfml/context/admin/Application.cfc#L22

https://docs.lucee.org/reference/tags/application.html#attribute-scriptprotect

therefore, I think script protect needs updating

any html tag should have any an on* attributes automatically stripped out or invalidAttribute added, when scriptProtect is enabled

Michael Offner
September 7, 2020, 12:47 PM

agree with on this

Zac Spitzer
September 7, 2020, 12:57 PM

it’s probably better to use ESAPI than reinventing the wheel here….

Assignee

Michael Offner

Reporter

Cheng Kai Eng

Priority

New

Labels

Fix versions

None
Configure