AsmBB

Power
Login Register

xss and RCE vulnerabilities found

#15979 (ツ) A T M O S
Last edited: 03.11.2019 by A T M O S, read: 1426 times

Pretty much all input are currently vulnerable, you should really audit a bit more before pushing updates. We will continues to fuzz it

xss vuln My picture Hey, we did found some xss which can be triggered on various href

- Edit we also found a RCE for Edge user also can RCE edge users with URI's like calculator://aaa yahoo.com one

My picture

another xss in user profile My picture

My picture

#15980 (ツ) ganuonglachanh
Created 04.11.2019, read: 1412 times

Thanks for the report, I'm sure John"found" a fix ;-)

#15981 (ツ) johnfound
Created 04.11.2019, read: 1408 times

Hm... As a rule, XSS are possible. But I can't reproduce these. Please, provide some code samples. Post directly here - it is OK if the code is non-destructive.

#16053 (ツ) ganuonglachanh
Created 15.03.2020, read: 834 times
#16054 (ツ) johnfound
Last edited: 15.03.2020 by johnfound, read: 831 times
ganuonglachanh

While looking for a "fix" of this error, I realize that AsmBB use HttpOnly cookie, so JS can't access our session cookie, event the xss vulnerable exist.

More on this: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies

But anyway, should we add a filter function to our post content, to clear xss, auto remove spam link...

Just my 2 cents :-)

Well, I still can't reproduce this XSS at all... My hypotesis is that ATMOS used some very old and buggy version of AsmBB. But he is not posting anymore...

And my idea is that the user content should not be filtered. The vulnerabilities and bugs should be searched and fixed.

P.S. If you can reproduce this XSS/RCE, please post some working test case here.

#16060 (ツ) johnfound
Created 18.03.2020, read: 799 times

Alter some great help of ganuonglachanh, the working test cases has been found and the working fix was submit to the repositories.

Notice, that the fixes are both in AsmBB and in FreshLib. So latest version should be fetched. Some minor bugs has been fixed as well.

The BBCode parser will be fixed very soon as well. The fix is working, but it is pretty complex, so some bugs are possible.

#16061 (ツ) ganuonglachanh
Created 19.03.2020, read: 795 times

Thank you johnfound

Great as always be :-)

xss and RCE vulnerabilities found

AsmBB v2.9 (check-in: 6d407831308ba556); SQLite v3.31.1 (check-in: 3bfa9cc97da10598);
©2016..2020 John Found; Licensed under EUPL. Powered by Assembly language Created with Fresh IDE