LEAKFREE-2014-008 / OSVDB-115638

HumHub PostController.php actionPost() Stored XSS

[+] OSVDB-ID: OSVDB-115638
[+] LF-ID: LEAKFREE-2014-008
[+] CVSS: 7.0
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier


In the function actionPost() in "/protected/modules_core/post/controllers/PostController.php", the $_POST variable is cleaned using a now-outdated version of the Yii framework's CmsInput extension stripClean() function, which improperly sanitizes user-input for XSS [1]. This situation also applies to actionPost() in "/protected/modules_core/comment/controllers/CommentController.php"

Proof of Concept

Making the following posts or comments in URL-encoded form:

<img src = "index.php?r=user/auth/logout">

<a href = "data:text/html,test">test</a>

Will insert the corresponding HTML elements into the post/comment body.


Upgrade to the latest HumHub release [2]


1. LEAKFREE-2014-004

2. https://github.com/humhub/humhub/releases


Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)