Stored XSS in profile parameter

[fiammybe]

Link: https://hackerone.com/reports/1080689
Date: 2021-01-18 09:17:19 UTC
By: wezery0
Weakness: Cross-site Scripting (XSS) - Stored

Details:

Summary:

There is a Cross-Site Scripting vulnerability in the profile parameter - url

Testing setup :

ImpressCMS 1.4.2 running on PHP Version 7.2.24

Installed modules:

• system ( version 1.4.2)
• profile (version 2.4)

Vulnerable code example

The profile module contains a lack of validation of the parameters passed by the user when editing a profile.
File:
/htdocs/modules/profile/edit-user.php
Lines: 85-92
Vulnerable code example:

if (in_array($fieldname, $profile_handler->getUserVars())) {
						$value = $fields[$i]->getValueForSave($_REQUEST[$fieldname], $edituser->getVar($fieldname, 'n'));
						$edituser->setVar($fieldname, $value);
					}
					else {
						$value = $fields[$i]->getValueForSave((isset($_REQUEST[$fieldname]) ? $_REQUEST[$fieldname] : ""), $profile->getVar($fieldname, 'n'));
						$profile->setVar($fieldname, $value);
					}

In this code, the getValueForSave function is called, which has a lack of input data validation
File:
/htdocs/modules/profile/class/Field.php
Lines: 295-312
Vulnerable code example:

	public function getValueForSave($value, $oldvalue) {
		switch ($this->getVar('field_type')) {
			default:
			case "textbox":
			case "textarea":
			case "dhtml":
			case "yesno":
			case "timezone":
			case "theme":
			case "language":
			case "select":
			case "radio":
			case "select_multi":
			case "checkbox":
			case "group":
			case "group_multi": 
			case "longdate":
				return $value;

Steps To Reproduce:

###Plant an XSS payload

1. Login to your account
2. Edit your account via /htdocs/modules/profile/edituser.php and change website param to javascript:alert(1)

The request will look like this

POST /impress/htdocs/modules/profile/edituser.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 482
Cookie: <COOKIE>

login_name=impress&url=javascript%3Aalert%281%29&rank=7&submit=Save+changes&XOOPS_TOKEN_REQUEST=<TOKEN>&uid=1&op=save

###Fire an XSS payload

1. Log as admin to system
2. Navigate to user search from system module (/htdocs/modules/system/admin.php)
3. Find previously edited user
4. Click www button to fire XSS payload

Suggestions to mitigate or resolve the issue:

Add filtering of user input values, like the one used in the standard user editing functionality

#Additional participants
This vulnerability was found in collaboration with
https://hackerone.com/d3addog
please add him to this report, if it is possible.

Impact

Malicious attacker can potentially obtain sensitive information or make action on user behalf.