Menu

#110 Stored Cross-site Scripting (XSS) vulnerability in Vim Online

v1.0 (example)
open
Michael Crute
Stored XSS vulnerability in Vim Online (2) Stored XSS (2) Security Vulnerability (2) Vim Online (2) vim (2) vimonline (2) Stored Cross-site Scripting (XSS) (1)
9
2019-04-21
2019-04-21
Binit Ghimire
No

Hello sir/madam!

I am Binit Ghimire. I was able to discover a Stored Cross-site Scripting (XSS) vulnerability in the official Vim website (https://www.vim.org/).

You can reproduce the vulnerability by following these steps:

  1. Visit https://www.vim.org/, click on "My Account" in the sidebar and then click on "Sign up now." or directly visit this page: https://www.vim.org/account/register.php
  2. You will see an account creation form. Fill the "user name", "password" and "confirm password" fields as you want and write "I am human" in the last field. For the other three fields, enter the following XSS payloads:
first name: "><svg onload=alert(document.domain)>
last name: "><svg onload=alert(document.domain)>
email: "><svg/onload=alert(document.domain)>"@x.y
  1. Now, press enter or click on the "create" button.
  2. When your account is created, you will be automatically logged in to your account and sent to this webpage: https://www.vim.org/account/index.php. If you haven't logged in to your account, visit https://www.vim.org/account/login.php to use your username and password for logging in.
  3. When you have logged in to your account, visit https://www.vim.org/account/index.php and click on "edit account info" or visit: https://www.vim.org/account/edit_account.php

When you reach the "Edit Account" page, your XSS payloads will be executed. This means the "first name", "last name" and "email" fields are vulnerable to Stored Cross-site Scripting which is a persistent vulnerability stored permanently in the database.

This Stored Cross-site Scripting vulnerability can be fixed by sanitizing or escaping the user's input in the input field.

Here, the XSS payloads don't get executed when the first name and last name are displayed in the website, which means they are properly sanitized or escaped while displaying in the website. But, just doing so isn't enough to prevent from stored XSS as I was able to execute my payloads in the website.

In the "Edit Account" page, the contents of the "value" attribute of respective input elements for first name, last name and email also need to be sanitized or escaped properly. Doing so will help in resolving this vulnerability.

I usually use htmlspecialchars() and htmlentities() PHP functions to prevent XSS in my websites.

I hope this vulnerability would be resolved as soon as possible.

You can contact me at my email: thebinitghimire@gmail.com or my Twitter handle: @WHOISbinit for any queries regarding this issue.

Thanks,
Binit Ghimire

1 Attachments
Vim XSS.png

Discussion

Log in to post a comment.

MongoDB Logo MongoDB