VDB
EN
HIGH 8.7

GHSA-465g-4q99-5x86

NukeViet: Multiple Anti-XSS Filter Bypasses Leading to Stored XSS in News Module

상세

## Summary

Two filter-bypass techniques in `NukeViet\Core\Request::filterAttr()` and `NukeViet\Core\Request::unhtmlentities()` allow a low-privileged user (any account with news post permission) to store and serve arbitrary JavaScript to any visitor of the affected page.

## Affected Component

`vendor/vinades/nukeviet/Core/Request.php` — class `NukeViet\Core\Request`

## Vulnerability Details

### Bypass 1 — Form Feed character prefix (`\x0C`) before event handler name

The `filterAttr()` method blocks event-handler attributes using: ```php preg_match('/^on/i', $attrSubSet[0]) ``` PHP's `trim()` does **not** strip the ASCII Form Feed character (`\x0C`, U+000C). An attacker can prefix the attribute name with `\x0C` so that `\x0Conerror` does not match `/^on/`. The HTML5 browser parser treats `\x0C` as a valid whitespace separator and correctly activates the event handler.

**Proof-of-concept payload (URL-encoded POST body field `bodyhtml`):** ``` <img src="x" %0Conerror="alert('XSS')"> ```

### Bypass 2 — Decimal HTML entity tab (`&#9;`) inside `javascript:` URI

`unhtmlentities()` strips the hex-encoded tab `&#x09;` via `str_ireplace`, but did **not** strip its decimal equivalent `&#9;`. The keyword-blocking regex `/j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t/si` uses `\s*` which does not match HTML entities. The value `jav&#9;ascript:alert()` passes the filter, is stored in the database, and is decoded by the browser into a working `javascript:` URI.

**Proof-of-concept payload (inside a Markdown-style link):** ``` [Click me](jav&#9;ascript:alert('XSS')) ```

## Impact

An authenticated attacker with news-posting permission can inject persistent JavaScript that executes in the browser of **any user** (including administrators) who views the affected article. This enables session cookie theft, credential harvesting, defacement, and further privilege escalation.

## Patches

Fixed in commit `<commit-sha>` by modifying `vendor/vinades/nukeviet/Core/Request.php`:

1. **`filterAttr()`** — strip all ASCII control characters (`\x00`–`\x20`) from the attribute name before the `/^on/` check: ```php $attrSubSet[0] = preg_replace('/[\x00-\x20]/', '', strtolower($attrSubSet[0])); ```

2. **`unhtmlentities()`** — strip decimal HTML entities for all ASCII control characters (0–31) before the keyword checks: ```php $value = preg_replace('/&#0*(?:3[01]|[12][0-9]|[0-9]);/', '', $value); ```

## Workarounds

None. Update to the patched version.

## Resources

- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) - OWASP WSTG-INPV-02: Testing for Stored Cross Site Scripting - [OWASP Top 10 A03:2021 – Injection](https://owasp.org/Top10/A03_2021-Injection/)

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Packagist / nukeviet/nukeviet
최초 영향 버전: 0 수정 버전: 4.6.00
수정 composer require nukeviet/nukeviet:^4.6.00

참고