CVE-2022-39398: Cross-site Scripting Vulnerability in Tasklists Plugin for GLPI Prior to 2..3 – A Detailed Analysis of the Exploit and Patch

The tasklists plugin for GLPI (Kanban) is widely used for managing tasks effectively within an organization. Recently, a new vulnerability, CVE-2022-39398, has been discovered that affects versions prior to 2..3. The vulnerability is related to Cross-site Scripting (XSS) and can potentially allow an attacker to execute malicious scripts in the browser of a victim. In this post, we will dive deep into the issue, its exploit, and the fixed version, with code snippets, original references, and other relevant details.

Description

Cross-site Scripting (XSS) is a common vulnerability that allows attackers to inject malicious code into a vulnerable application. In the case of CVE-2022-39398, an attacker can potentially exploit this XSS vulnerability to create a task in the tasklists plugin of GLPI containing malicious JavaScript code. When an unsuspecting user views the task, the malicious code gets executed in their browser, putting them at risk.

Original Reference

The discovery of this vulnerability was reported in the following GitHub issue: https://github.com/InfotelGLPI/tasklists/issues/795

To better understand the vulnerability, let's analyze the exploit in detail.

Exploit Details

The exploitation of this vulnerability occurs due to insufficient input validation when a new task is created in the, tasklists plugin. Specifically, when a user submits the form to create a new task, the application does not adequately sanitize the task content, allowing an attacker to submit crafted JS code that will be executed in other users' browsers.

Here's a code snippet that demonstrates how an attacker could trigger the XSS vulnerability by creating a new task with malicious content:

POST /plugins/tasklists/ajax/saveCard.php HTTP/1.1

... [headers] ...

{
  "content": "< script>alert('XSS');</ script>",
  ... [other_form_data] ...
}

The above code sends an HTTP POST request to the application server, creating a new task with the content containing the malicious JS code. Suppose the input validation is not in place or inadequate. In that case, the server stores the unsanitized input, and the XSS vulnerability can be exploited when other users view the task.

Patched Version (2..3)

This issue has been addressed and patched in version 2..3 of the tasklists plugin. The patch includes proper input validation and sanitization to prevent XSS attacks. The updated code can be found in this pull request: https://github.com/InfotelGLPI/tasklists/pull/796

Here's a code snippet from the patch that demonstrates how the input validation and sanitization have been implemented:

// Import HTML Purifier for input sanitization
require_once(HTMLPurifier.auto.php);

// Create a new configuration for HTML Purifier
$config = HTMLPurifier_Config::createDefault();

// Create an instance of HTML Purifier
$purifier = new HTMLPurifier($config);

// Before saving the task content, sanitize it using HTML Purifier
$sanitizedContent = $purifier->purify($_POST['content']);

By implementing input validation using HTML Purifier, the application now effectively protects against the XSS vulnerability by removing any potentially malicious code from the task content before saving it to the database.

No Known Workarounds

There are no known workarounds for this vulnerability. The only recommended solution is to update the tasklists plugin to version 2..3 or newer.

Conclusion

The CVE-2022-39398 vulnerability highlights the importance of proper input validation and sanitization in web applications to prevent Cross-site Scripting attacks. Users of the tasklists plugin for GLPI should update their plugin to version 2..3 or newer to mitigate the risk associated with this vulnerability.

Timeline

Published on: 11/10/2022 01:15:00 UTC
Last modified on: 11/11/2022 02:00:00 UTC