Bug #13125

XSS vulnerability in 2.5.x

Added by José Raddaoui Marín 3 months ago. Updated about 1 month ago.

Status:VerifiedStart date:07/29/2019
Priority:CriticalDue date:
Assignee:-% Done:

0%

Category:Security
Target version:Release 2.5.2
Google Code Legacy ID: Tested version:2.5, 2.6
Sponsored:No Requires documentation:

Description

We are seeing a XSS exploit on 2.5.1 at the following URL

/informationobject/browse?view=card"><script>alert(150)</script>&onlyMedia=1&topLod=0

I couldn't replicate on the demo site which is running 2.4.1, so it appears to have been introduced after 2.4.1.

It looks like Chrome is blocking the attack but I could reproduce in Firefox. Markdown support should be enabled for this to happen.

History

#1 Updated by José Raddaoui Marín 3 months ago

  • Status changed from In progress to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Fixed in qa/2.6.x (PR).

Please, let me know if you want to give it a try before cherry-picking to stable/2.5.x.

#2 Updated by Dan Gillean 3 months ago

  • Status changed from QA/Review to Feedback
  • Assignee changed from Dan Gillean to José Raddaoui Marín

Hey Radda,

Using the provided example URL in my vagrant box running qa/2.6.x, I can still get the 150 dialog in Firefox.

#3 Updated by José Raddaoui Marín 3 months ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Sorry Dan, I was pushing to Github instead of to Gitolite and the commit got removed at some point from qa/2.6.x. It should be in there now ;)

#4 Updated by Dan Gillean 3 months ago

  • Status changed from QA/Review to Verified
  • Assignee changed from Dan Gillean to José Raddaoui Marín

Works this time! Feel free to backport :)

#5 Updated by José Raddaoui Marín 3 months ago

Added to stable/2.5.x.

#6 Updated by Dan Gillean 2 months ago

Confirmed working in stable/2.5.x as well. Thanks!

#7 Updated by José Raddaoui Marín 2 months ago

  • Status changed from Verified to Code Review

This came back, in this case using the "startDate" and "endDate" fields from the IO advanced search panel:

https://github.com/artefactual/atom/pull/958

#8 Updated by Mike Cantelon 2 months ago

  • Status changed from Code Review to Feedback

Your PR looks good to me!

#9 Updated by José Raddaoui Marín 2 months ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Thanks Mike! Merged in qa/2.6.x.

#10 Updated by Dan Gillean 2 months ago

  • Status changed from QA/Review to Feedback
  • Assignee changed from Dan Gillean to José Raddaoui Marín

Looks good! Please backport to stable :)

#11 Updated by José Raddaoui Marín about 1 month ago

  • Status changed from Feedback to QA/Review
  • Assignee changed from José Raddaoui Marín to Dan Gillean

Added to stable/2.5.x

#12 Updated by Dan Gillean about 1 month ago

  • Status changed from QA/Review to Verified
  • Assignee deleted (Dan Gillean)

#13 Updated by Dan Gillean about 1 month ago

  • Private changed from Yes to No
  • Tested version 2.6 added

Now that 2.5.2 has been released with a patch for this issue, making it public again so we can reference it in our release notes, per our new Security Policy

Also available in: Atom PDF