Lucene search

Christynorl47D6FC2A-989A-44EB-9CB7-AB4F8BD44496

HistoryDec 22, 2022 - 2:29 a.m.

Stored XSS bypass the protection rules

2022-12-2202:29:41

christynorl

www.huntr.dev

stored xss

bypass

protection rules

vulnerability

7.0.0.2 update

javascript insertion

admin login

EPSS

0.017

Percentile

88.0%

JSON

Description

Hi there,

Someone submitted an xss vulnerability about your project before.And please see “https://huntr.dev/bounties/f353adfb-e5b8-43e7-957a-894670fd4ccd/” for details.You submitted a fix in 7.0.0.2 with commit 4565d8.But after my tests, I found that it was still unsafe.
The following is the code you used.

str_ireplace('javascript', '', $text ?? '');

We can bypass it by inserting an additional ‘javascript’.

Video link

video link

https://drive.google.com/file/d/142SE1G7F6cHfc_TZRT7XzJCLu0Y2_887/view?usp=share_link

#Steps

Login with admin
Go on Admin - config - Branding
Edit User Manual Link Override Field
4.Insert the following payload

javjavascriptascript:alert(document.cookie)

5.Logout with admin

6.Login as any user and go on “About OpenEMR”

7.Click User Manual Button

Proof of Concept

javjavascriptascript:alert(document.cookie)

EPSS

0.017

Percentile

88.0%

JSON

Related for 47D6FC2A-989A-44EB-9CB7-AB4F8BD44496