GHSA-465g-4q99-5x86
NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module
상세
## Summary
Two filter-bypass techniques in `NukeViet\Core\Request::filterAttr()` and `NukeViet\Core\Request::unhtmlentities()` allow a low-privileged user (any account with news post permission) to store and serve arbitrary JavaScript to any visitor of the affected page.
## Affected Component
`vendor/vinades/nukeviet/Core/Request.php` — class `NukeViet\Core\Request`
## Vulnerability Details
### Bypass 1 — Form Feed character prefix (`\x0C`) before event handler name
The `filterAttr()` method blocks event-handler attributes using: ```php preg_match('/^on/i', $attrSubSet[0]) ``` PHP's `trim()` does **not** strip the ASCII Form Feed character (`\x0C`, U+000C). An attacker can prefix the attribute name with `\x0C` so that `\x0Conerror` does not match `/^on/`. The HTML5 browser parser treats `\x0C` as a valid whitespace separator and correctly activates the event handler.
**Proof-of-concept payload (URL-encoded POST body field `bodyhtml`):** ``` <img src="x" %0Conerror="alert('XSS')"> ```
### Bypass 2 — Decimal HTML entity tab (`	`) inside `javascript:` URI
`unhtmlentities()` strips the hex-encoded tab `	` via `str_ireplace`, but did **not** strip its decimal equivalent `	`. The keyword-blocking regex `/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/si` uses `\s*` which does not match HTML entities. The value `jav	ascript:alert()` passes the filter, is stored in the database, and is decoded by the browser into a working `javascript:` URI.
**Proof-of-concept payload (inside a Markdown-style link):** ``` [Click me](jav	ascript:alert('XSS')) ```
## Impact
An authenticated attacker with news-posting permission can inject persistent JavaScript that executes in the browser of **any user** (including administrators) who views the affected article. This enables session cookie theft, credential harvesting, defacement, and further privilege escalation.
## Patches
Fixed in commit `<commit-sha>` by modifying `vendor/vinades/nukeviet/Core/Request.php`:
1. **`filterAttr()`** — strip all ASCII control characters (`\x00`–`\x20`) from the attribute name before the `/^on/` check: ```php $attrSubSet[0] = preg_replace('/[\x00-\x20]/', '', strtolower($attrSubSet[0])); ```
2. **`unhtmlentities()`** — strip decimal HTML entities for all ASCII control characters (0–31) before the keyword checks: ```php $value = preg_replace('/�*(?:3[01]|[12][0-9]|[0-9]);/', '', $value); ```
## Workarounds
None. Update to the patched version.
## Resources
- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - OWASP WSTG-INPV-02: Testing for Stored Cross Site Scripting - [OWASP Top 10 A03:2021 – Injection](https://owasp.org/Top10/A03_2021-Injection/)
이 버전이 영향받나요?
사용 중인 패키지 버전을 입력하면 즉시 평가합니다.
영향 패키지
0 수정 버전: 4.6.00 composer require nukeviet/nukeviet:^4.6.00