We build. You grow.

Get best community software here

Start a social network, a fan-site, an education project with oxwall - free opensource community software

Oxwall 1.8.1 is XSS vulnerable ( aka hackable ) | Forum

UTAN
UTAN Jan 19 '16
Hi guys,

I am sorry to bear bad news , I tested my Oxwall site after Akash's report that the site are vulnerable .. thanks by the way..

Now that is publicly disclosed ..  Thanks but not thanks Akash

I can confirm that is vulnerable, it seems that when you post an url the Oxwall parses the title of the page, unfortunately there is not clean up when parsing and parses Javascript is used as title in the page you are linking to..

I have mitigated the problem disabling the abilities to post messages in newsfeed, forums , blogs, photo, gif etc only allowing to read..

Until Oxwall devs fix this issue and release a quick fix version to totally mitigate this vulnerability...

As usual is your responsibility to test everything..

It is a mayor problem.. since of course anyone can hijack your admin cookie and get complete access to your site..

regards..

@ross your thoughts?

 
JoshWho
JoshWho Jan 19 '16
interesting but I haven't seen it done yet. R u sure that a normal user level can do this?  Maybe my server security stops it but I can not replicate what you are saying.
UTAN
UTAN Jan 19 '16
@JoshWho, 
If u don't allow external urls is fine , but 90% of all servers have this enabled , it doesn't  pose a security issue itself but the script that parse Javascript needs to be scaped , so is pretty much Oxwall Devs that failed to scape it or the framework they used is vulnerable..

Regards.
UTAN
UTAN Jan 19 '16
@Ross, we all know u guy doing ur best.. 

When developing things like this happens.