Stored & Reflected XSS in Exhibitor v1.5.6

[bugger77]

I found that the following string can be added to the node explorer, allowing an attacker to create a stored cross site scripting (XSS) that can be seen under the logs tab.
Payload : "><img+src=x+onerror=alert('XSS')>.

Attached some screenshots

[xiaochuanyu]

Hi, thanks for the very detailed report.
I'm not very familiar with how to prevent this type of attack (and web dev in general).
A pull request would be greatly appreciated.

[bugger77]

Hi @xiaochuanyu ,

Thanks for Response. This issue can be fixed by validating all the input that is coming from various components of the website like the database, end user, a web service, forms, hidden form fields, cookies, query strings etc. This can be ensured in two ways:

• Validating the input fields: The most effective method of addressing XSS vulnerabilities is to only accept and process data that is considered valid and reject everything else. This process entails White-List validation by permitting only those characters that may be legitimate input for a given field. For example, if the field is meant to accept a telephone number it should filter out or escape out all characters other than [0-9] and -. : <,>,”,’,%,;,&,(,),+.

• Escaping All Output: This process entails HTML Encoding all characters to prevent any execution. For example, if the < character is encoded to &lt then it will not be interpreted by the browser as the start of a tag and would simply be displayed as <.

Let me know anything else you required.

[bugger77]

Hi @xiaochuanyu ,

Any update on Fixes.

[haywhisksoftware]

For the Explore tab, the root cause seems to be that DynaTree (the library used to generate the tree of znodes in the Explore tab) does not escape its input.
Fancytree, dynatree's sequel, is able to escape its input via the escapeTitles parameter.

For the Log tab, see issue #331 .