Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Fixed XSS on hexo-admin post editor #2

Closed
wants to merge 1 commit into from
Closed

Fixed XSS on hexo-admin post editor #2

wants to merge 1 commit into from

Conversation

Asjidkalam
Copy link

📊 Metadata *

Fixed Cross-site scripting vulnerability

Bounty URL: https://www.huntr.dev/bounties/1-npm-hexo-admin

⚙️ Description *

A Cross-site scripting vulnerability exists on hexo-admin plugin's create-post functionality.
Issue: jaredly#185
Since the code uses the user-input data without any sanitizing, users could inject javascript code to perform XSS. Hence validating the user-input could resolve the issue.

💻 Technical Description *

I used the DOM-Purify library to escape the unsanitized code. The fix for a different functionality was already implemented on the same package (#1). This fix is an extension to it.

🐛 Proof of Concept (PoC) *

npm install -g hexo
cd ~/
hexo init my-blog
cd my-blog
npm install
npm install --save hexo-admin
hexo server -d

Open http://localhost:4000/admin/, click on create new post and provide this payload: "><img src=x onerror=alert("XSS")>
PoC from issue: https://github.com/jaredly/hexo-admin/files/3077011/PLUGIN.Hexo-admin-XSS-PoC.zip

🔥 Proof of Fix (PoF) *

the input will be sanitized after passing through DOMPurity function, and no XSS will be triggered.

@Asjidkalam Asjidkalam closed this Aug 14, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Asjidkalam