Under Review
Last Updated: 29 Sep 2020 12:46 by ADMIN
Dhiraj
Created on: 23 Sep 2020 07:13
Category: UI for ASP.NET AJAX
Type: Bug Report
1
Stored Cross-Site Scripting in Rich text editor (RadEditor?!)

Greetings!

Description:

I have found a Cross-Site Scripting issue in the rich text editor, RadEditor. This is not in a body where user provides certain strings, rather it's in the text properties which gets sent along with the user input, such as font-style. The developers were able to follow the filtering mechanisms given in at https://docs.telerik.com/devtools/aspnet-ajax/controls/editor/managing-content/prevent-cross-site-scripting-(xss), but it provides protection for the inputs given in <textarea>, and for the properties values. Hence XSS is still possible

 

Steps for Reproduction:

 

1. Open up the text editor {{Screenshot 2020-09-23 at 12.08.51 PM.png}}

2. Input a string and change its font style.

3. Click on submit and intercept the request. {{Screenshot 2020-09-23 at 12.14.45 PM.png}}

4. Now we need to modify the request body for parameter of texteditor's ID. You may notice that the font-style is set and sent by using a <span>.

RadEditor1=%253cspan%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

Change parameter 'RadEditor1's value with the following:

RadEditor1=%253cspan%20onmouseover%253d%2522document.body.innerHTML%253d%2527ioioioioioioioioo%2527%252bdocument.cookie%2522%20style%253d%2522font-family%253a%20%2527MS%20Sans%20Serif%2527%253b%2522%253etextexttext%253c%2Fspan%253e

5. Submit and notice the 200 OK response. Now go to the text editor and notice that the string texttexttext can be seen. {{Screenshot 2020-09-23 at 12.24.18 PM.png}}

6. Put a mouse cursor on the string and notice that it gets changed to ioioioioioioioioo<domainCookies>.

 

##################

Please let me know if given information doesn't suffice the abilities for reproduction.

 

Thanks,

Dhiraj

3 comments
ADMIN
Peter Milchev
Posted on: 29 Sep 2020 12:46

Hello Dhiraj,

Thank you for sharing your finding with us. Yes, this portal can be used to report features and issues. 

For more serious security issues, you can submit a General Feedback or a Product Feedback that will not be public.

Regarding the Editor, I have tried to tamper with the request using Fiddler and the server stripped the onmouseover event.

Please use the following code to enable all possible filters for the Editor and let me know how that works for you.

protected void Page_Load(object sender, EventArgs e)
{
    List<string> dataSource = Enum.GetNames(typeof(EditorFilters)).ToList();
    dataSource.Remove("None");
    dataSource.Remove("DefaultFilters");
    foreach (var filter in dataSource)
    {
        var filterEnum = (Telerik.Web.UI.EditorFilters)Enum.Parse(typeof(EditorFilters), filter, true);
        RadEditor1.EnableFilter(filterEnum);
    }
}

Also, you can try to enable all content filters in our live demo:

Let me know how that works for you.

Regards,
Peter Milchev
Progress Telerik

Five days of Blazor, Angular, React, and Xamarin experts live-coding on twitch.tv/CodeItLive, special prizes, and more, for FREE?! Register now for DevReach 2.0(20).

Dhiraj
Posted on: 25 Sep 2020 07:09

Hey everybody,

 

is it a correct platform for reporting a security related bug?

Dhiraj
Posted on: 23 Sep 2020 07:15
Edit: Line 8: and NOT for the properties values. Hence XSS is still possible.