XSS vulnerability inside of file description #292
Comments
|
@UmbreonFR4 your link is broken. You have |
|
Hi! Thanks for reporting the vulnerability! The LSP website is very outdated and I knew there would be vulnerabilities (#281). However, I will try to fix this one. |
|
@liushuyu it appears to be adding double HTML tags, and the browser is parsing the style info as a new HTML tag. <a href="<a href="https://www.lmms.io/style=color:red/*" target=_blank >I'm not sure how this is happening. First thought is an extra double-quote, but I'm not exactly sure yet. |
|
The Line 507 in 6d0a4f1 |
This is due to an improper escaping done in |
That was my first thought too, but I don't see double quotes in the proof of concept description. If it's there, I can't find it. |
|
@liushuyu I have a feeling that the HTML is being saved back into the database, then re-rendered. |
No, it wasn't: |
|
Hmm... something's adding the extra |
Upon creating or editing a file you can find an XSS method, this can be done by having two of the same URLs with a = inside of it next to each other with a newline between them like this:
This will cause issues in the way chrome renders it causing a possible XSS method, upon further research into this I made a few examples showing that this can be abused
execute javascript on mouse hover:
Change the colour of the text:
The comments for the languages at the end are required since a speech mark is added onto the end of the property by the website.
If you want to see these in action go to this link: Here
this vulnerability needs to be fixed to avoid people having cookies stolen, ips stolen etc.
This xss method was tested on:
chrome, firefox, Internet explorer, Edgeall of which have been tested and are vulnerable to this attack.The text was updated successfully, but these errors were encountered: