Stored Cross-site Scripting (XSS) vulnerability in Vim Online
Brought to you by:
scrott
Menu
▾
▴
1 Attachments
#109 Stored Cross-site Scripting (XSS) vulnerability in Vim Online
open
nobody
Stored XSS vulnerability in Vim Online (2)
Stored XSS (2)
Security Vulnerability (2)
Vim Online (2)
vim (2)
vi (1)
vimonline (2)
7
2019-04-21
2019-04-21
No
Hello sir/madam!
I am Binit Ghimire. I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the official Vim website (https://www.vim.org/).
You can reproduce the vulnerability by following these steps:
- Visit https://www.vim.org/, click on "My Account" in the sidebar and then click on "Sign up now." or directly visit this page: https://www.vim.org/account/register.php
-
You will see an account creation form. Fill the "user name", "password" and "confirm password" fields as you want and write "I am human" in the last field. For the other three fields, enter the following XSS payloads:
first name: ">
last name: ">
email: "> -
Now, press enter or click on the "create" button.
- When your account is created, you will be automatically logged in to your account and sent to this webpage: https://www.vim.org/account/index.php. If you haven't logged in to your account, visit https://www.vim.org/account/login.php to use your username and password for logging in.
- When you have logged in to your account, visit https://www.vim.org/account/index.php and click on "edit account info" or visit: https://www.vim.org/account/edit_account.php
When you reach the "Edit Account" page, your XSS payloads will be executed. This means the "first name", "last name" and "email" fields are vulnerable to Stored Cross-site Scripting which is a persistent vulnerability stored permanently in the database.
This Stored Cross-site Scripting vulnerability can be fixed by sanitizing or escaping the user's input in the input field.
Here, the XSS payloads don't get executed when the first name and last name are displayed in the website, which means they are properly sanitized or escaped while displaying in the website. But, just doing so isn't enough to prevent from stored XSS as I was able to execute my payloads in the website.
In the "Edit Account" page, the contents of the "value" attribute of respective input elements for first name, last name and email also need to be sanitized or escaped properly. Doing so will help in resolving this vulnerability.
I usually use htmlspecialchars() and htmlentities() PHP functions to prevent XSS in my websites.
I hope this vulnerability would be resolved as soon as possible.
You can contact me at my email: thebinitghimire@gmail.com or my Twitter handle: @WHOISbinit for any queries regarding this issue.
Thanks,
Binit Ghimire
I hope you would close this ticket. I didn't mark the payloads as code in the visual editor in SourceForge, due to which they got executed. I have created a new ticket with the issue mentioned in a proper way.
Thanks,
Binit Ghimire