-
Notifications
You must be signed in to change notification settings - Fork 445
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Bug: SELF XSS - Event Editor #6851
Labels
Milestone
Comments
MrClever
changed the title
Security Bug: SELF XSS
Security Bug: SELF XSS - Event Editor
Feb 19, 2024
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
DAcodedBEAT
added
the
good first issue
Indicates a good issue for first-time contributors
label
Apr 3, 2024
This is due to Not sure how to block this other than not allowing HTML. |
respencer
added a commit
to respencer/ChurchCRM
that referenced
this issue
Jun 6, 2024
12 tasks
respencer
added a commit
to respencer/ChurchCRM
that referenced
this issue
Jun 10, 2024
respencer
added a commit
to respencer/ChurchCRM
that referenced
this issue
Jun 11, 2024
respencer
added a commit
to respencer/ChurchCRM
that referenced
this issue
Jun 12, 2024
DAcodedBEAT
added a commit
that referenced
this issue
Jun 12, 2024
# Description & Issue number it closes <!-- Please include a summary of the changes and the related issue. Please also include relevant motivation and context. --> Allowing HTML in Event Sermon text also allowed XSS. Removed allowing HTML in said field. Resolves #6851 ## Screenshots (if appropriate) <!-- Before and after --> None. ## How to test the changes? ## Type of change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] This change requires a documentation update # How Has This Been Tested? <!-- Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration --> # Checklist: - [x] My code follows the style guidelines of this project - [x] I have performed a self-review of my code - [ ] I have commented my code, particularly in hard-to-understand areas - [ ] I have made corresponding changes to the documentation - [ ] My changes generate no new warnings - [ ] I have added tests that prove my fix is effective or that my feature works - [ ] New and existing unit tests pass locally with my changes - [ ] Any dependent changes have been merged and published in downstream modules
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue?
EventEditor.php
On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux
What browser (and version) are you running?
Firefox
What version of PHP is the server running?
8.3.2
What version of SQL Server are you running?
11.2.2
What version of ChurchCRM are you running?
5.5.0
Severity: low
Credits :
Georgios Bitounis
Description:
A self XSS was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in the endpoint EventEditor.php.
The steps for the exploitation are the following :
Step 1 : Go to the EventEditor.php and create an event with whatever attributes you want and save.
Step 2 : Go to the ListEvents.php and edit your event, on the Event Sermon field, we can xss with this payload :
<img src="invalid.jpg" onerror="alert('XSS')">
Impact:
In a Self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing personal information to the attacker, a kind of vulnerability known as cross-site scripting. Self-XSS involves similar application behaviour to regular reflected XSS, however it cannot be triggered in normal ways via a crafted URL or a cross-domain request. Instead, the vulnerability is only triggered if the victim themselves submits the XSS payload from their browser.
Affected Component:
/churchcrm/EventEditor.php
Technical Details:
The vulnerability is caused by the failure of validation of user input. An attacker can insert malicious js code, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.
Proof of Concept (PoC):
<img src="invalid.jpg" onerror="alert('XSS')">
Remediation:
1.Input validation: All user input should be validated to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on client-side and should be designed to detect and block any attempts to inject scripts or other malicious content.
2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.
The text was updated successfully, but these errors were encountered: