[ASNWERED] Simple blog - when saving inserted image fire wall say : Potential Cross Site Scripting Attack

Post Reply
krisalyd
Posts: 7
Joined: Wed Mar 01, 2023 5:16 am

[ASNWERED] Simple blog - when saving inserted image fire wall say : Potential Cross Site Scripting Attack

Post by krisalyd »

Hi :)

My first post on the forum : many thanks for WonderCMS and for plugins and themes and for community sharing experience and tips ! I just discover, it seems wonderfull ;)

Context :
firefox 102.8.0esr / debian 11
litespeed 8.1
php 8.1
wondercms 3.4.1
sky 3.2.3
summernote editor 3.4.1
simple blog 3.2.3

Here is the behavior I am facing :
When I insert an image in a post via tool bar editor : insert image -> select from file browse, that image seems not stopping to upload. Sometime it seems uploaded in the editor and the post can be saved apparently. But anyway, when displaying the post, there is no image inserted.

Logs (extract) from firewall (PlanetHoster default setting) :
ID : 340147 Sévérité : CRITICAL Label : -
info : Matched Operator '(?:< ?script|(?:<|< ?/)(?:(?:java|vb)script|about|applet|activex|chrome|qx?ss|embed)|< ?/?i?frame\b|< ?img src ?=|< ?base href ?=)' against variable 'REQUEST_URI|REQUEST_HEADERS:X_FORWARDED_FOR|ARGS|!ARGS:/^cont/|!ARGS:/introtext/|!ARGS:_message|!ARGS:/com_liferay/|!ARGS:/fbmcc/|!ARGS:/ide_/|ARGS_NAMES|!ARGS:/bsr_/|!ARGS:nav-menu-data|!ARGS:/contact_map/|!ARGS:/adsense/|!ARGS:rtel [...]
message : [xxx] WAF Rules: Potential Cross Site Scripting Attack
Méthode HTTP : POST
IP Client : [xxx]
Port : 443
Protocole : HTTP/1.1
Uri : //plugins/simple-blog/save.php

An other behavior is when i try to insert a link in the article via tool bar : it is not inserted. No logs in firewall. The same when I try to insert url (img, a href, mailto) via code view editor.

When I disable the firewall everything works fine.
With firewal on, I can insert image and url in pages, they are saved and display on the site.

If I can I would be happy to share more infos if needed to help to make it works through firewall.
hominid
Posts: 6
Joined: Sat Mar 25, 2023 11:02 pm

Re: Simple blog - when saving inserted image fire wall say : Potential Cross Site Scripting Attack

Post by hominid »

I don't know if this is related to your issue, but the National Vulnerability Database has an entry for WonderCMS Simple Blog plugin: "The Simple Blog plugin in Wondercms 3.4.1 is vulnerable to stored cross-site scripting (XSS) vulnerability. When any user opens a particular blog hosted on an attackers' site, XSS may occur."

https://nvd.nist.gov/vuln/detail/CVE-2021-42233

Maybe your web host (PlanetHoster) has a rule in it's firewall to prevent this possibility?
User avatar
wiz
Posts: 749
Joined: Sat Oct 30, 2010 12:23 am

Re: Simple blog - when saving inserted image fire wall say : Potential Cross Site Scripting Attack

Post by wiz »

Hello @krisalyd.

The issue seems that your host is preventing you from inserting the <img src tag. If you drag and drop the image, does it happen anyway? I would try reaching out to them explaining the situation along with the error and what the expected result is (inserting an image).

WonderCMS does enable for users to execute Javascript anywhere on the their website (which could lead to Cross Site Scripting), but only admin users are allowed save Javascript in any place (not the visitors).

@hominid, you are correct, however this is an authenticated vulnerability about WoderCMS websites and specifically their admins being allowed to utilise Javascript in any shape or form. This has been a feature since WonderCMS was found in 2008 and we outline it in our documentation as well. I don't think what krisalyd is reporting to be the issue, unless he is specifically trying to execute an XSS attack.

Hope this clarifies the situation a bit and I would be interested in what Panelhoster replies.
Post Reply