You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This meant that ‘html entities’ are put in replacement of HTML control characters.
Here the VALUE that is marked with * symbol will be filtered with the XSS filter and it will be sanitized before displaying it to the user. But they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tpl file.
\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl
The View_all link besides the emoticons in the following screen is having this FIELD_NAME variable
The View_all link is sending the following GET request to the server
The following is the source code of emoticons.php file
\ocportal\data\emotions.php
The following is the code related to emoticons_script function in misc_scritps.php file
\ocportal\sources\misc_scripts.php
Code that is loading the template file with the user entered input
\ocportal\sources\misc_scripts.php
This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously it won’t go for any filtration.
GET request to emoticons.php with script vector as value of field_name
And the inserted payload is reflecting back to the user as shown in the following screen.
The text was updated successfully, but these errors were encountered:
As per the documentation of the Ocportal, a value in a template that is not meant to contain HTML is marked as an escaped value ({VALUE*}). This meant that ‘html entities’ are put in replacement of HTML control characters.
Here the VALUE that is marked with * symbol will be filtered with the XSS filter and it will be sanitized before displaying it to the user. But they forgot to mark FIELD_NAME in OCF_EMOTICON_CELL.tpl file.
\ocportal\themes\default\templates\OCF_EMOTICON_CELL.tpl
The View_all link besides the emoticons in the following screen is having this FIELD_NAME variable
The View_all link is sending the following GET request to the server
The following is the source code of emoticons.php file
\ocportal\data\emotions.php
The following is the code related to emoticons_script function in misc_scritps.php file
\ocportal\sources\misc_scripts.php
Code that is loading the template file with the user entered input
\ocportal\sources\misc_scripts.php
This code is reading the GET request parameter field_name and displaying it back to the user without filtering because of the variable is not marked with * symbol. Obviously it won’t go for any filtration.
GET request to emoticons.php with script vector as value of field_name
And the inserted payload is reflecting back to the user as shown in the following screen.
The text was updated successfully, but these errors were encountered: