Not a bug A serious vulnerability related to the implementation of the code on js.

[DEDinPALTO]

Affected version

XenForo 2.2.6 Patch 2

Hi, recently, I found an XSS vulnerability on one of the Russian-language forums. After several hours of research, the following was clear:

1. The forum where this vulnerability was noticed did not filter href. Therefore, it was possible to substitute the following script:

javascript:alert(document.cookie)

It was successfully triggered. This allows you to intercept the cookies of other users.

2. This vulnerability was also noticed on the official forum. I was able to embed the code in the same href in each topic header.

 

[Chris D]

Upon further investigation and discussion the issue being reported pertains to modifying the already rendered content using the browser's developer tools.

There is no way to filter href attributes in the DOM that has already been sent to the client.

Filtering / escaping HTML happens on the server before the content is returned to the client where needed.

While it is possible to inject JavaScript into the content that has been returned to your browser, the result of that JavaScript executing affects only your browser. In the example provided, it would be possible to return a copy of your own cookies, but not anyone else's. This is loosely known as a self-XSS but given that this pertains only to using the browser's development tools to achieve it still doesn't really count.

Thank you very much for reporting the issue anyway. It is always better to be safe than sorry. But, in future, please report suspected security vulnerabilities by submitting a ticket or by emailing security@xenforo.com.