Comments (maybe all other html/text-inputfields) XSS vulnerable

Post Reply
ebru
Posts: 12
Joined: 13 Jun 2016, 16:11
Name: Ewald Brunmüller
Location: Austria
Company Name: Mr.

Comments (maybe all other html/text-inputfields) XSS vulnerable

Post by ebru » 28 Jul 2016, 18:33

This is a serious threat.
Tested also on the actual demo, which is probably up to date.

Steps to reproduce:
In a comment textfield (or maybe all other html/text-fields, tested with the field "Comment") insert:

Code: Select all

<script type="text/javascript">alert("XSS vulnerable");</script>
Expected result:
I can read
"<script type="text/javascript">alert("XSS vulnerable");</script>"
in the current saved comment

Actual result:
The comment ist empty and the piece of javascript gets executed in the context of the users browser.
Even worse, emails sent from Rukovoditel show the same behaviour.

So any user of a Rukovoditel installation can infect all the other users with malicious code.

User avatar
support
Site Admin
Posts: 2048
Joined: 19 Oct 2014, 18:22
Name: Sergey Kharchishin
Location: Russia, Evpatoriya

Re: Comments (maybe all other html/text-inputfields) XSS vulnerable

Post by support » 30 Jul 2016, 19:26

Thank you for report about this issue. Will be fixed in 1.7.2

ebru
Posts: 12
Joined: 13 Jun 2016, 16:11
Name: Ewald Brunmüller
Location: Austria
Company Name: Mr.

Re: Comments (maybe all other html/text-inputfields) XSS vulnerable

Post by ebru » 04 Aug 2016, 17:27

Great. Thanks.

Post Reply