Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jun 30th 2021


✍️ Description

There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add the invoice. when a comment is added during the creation of invoices by any user then due to improper sanitization XSS payload gets triggered.

🕵️‍♂️ Proof of Concept

Video POC:
https://drive.google.com/file/d/1bC9YJFV08fltA23sPJSgIT0JTYU39NjR/view?usp=sharing
Payload: '''><svg/onload=prompt(5)>

💥 Impact

Stored XSS, steal other user's cookies, session hijacking of any user who visits that malicious invoice injected by XSS payload.

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 5 months ago
BigProf
5 months ago

I'm unable to reproduce this issue. Please note that the code you linked to is from an older version of OIS. I tested this payload on the latest release and was unable to reproduce the vulnerability.

x3rz
5 months ago

Researcher


I cloned the latest repo frok github and then tested the application Also as you said latest release i will download it from release section and then retest it and will let you know sir As per this report: Steps to reproduce:

  • Start the server
  • Login into the user who has permission to make invoices
  • enter the given payload in the comment box
  • save the invoice and you will see pop up
BigProf
5 months ago

Also as you said latest release i will download it from release section and then retest it and will let you know Thanks. I'll wait for your report.

x3rz
5 months ago

Researcher


Hello, @maintainer I just check the latest version also the payload is getting executed with the same payload. Video POC from downloading the latest version to exploitation. https://drive.google.com/file/d/1Dbw5vSli6srWXgMcn2T4dFEGaNB-VvfJ/view?usp=sharing

x3rz
5 months ago

Researcher


@bigprof any updates?

x3rz
5 months ago

Researcher


@admin any updates?

BigProf
5 months ago

Sorry @x3rz for the long delay .. I have tons of tasks :/ Thanks for the detailed recording .. I see you're using v5.0 .. I made several commits after that release but didn't tag them yet. However, I did revert to v5.0 to try to retest this issue and added exactly the same payload '''><svg/onload=prompt(5)> into the invoice comments field but didn't see this issue happening ..

I checked the source code of the browser page to see how the payload is placed and here is the source code:

<textarea name="comments" id="comments" rows="5">&#039;&#039;&#039;&gt;&lt;svg/onload=prompt&#40;5&#41;&gt;&lt;br&gt;</textarea>

I'm not sure if the above is going to display correctly in the comments area of the huntr page, but anyway what I see is that the svg tag gets changed to HTML special characters, and so there is no code to execute ...

So, this it's really puzzling to watch the screencast you recorded and see the clear XSS issue showing in it .. maybe it's related to a PHP version issue? I'm using PHP 7.0 during my test.

x3rz
5 months ago

Researcher


Thank you for your reply and sir i am using PHP 7 myself and i am still able to reproduce it i just checked it Can you please type it manually in the comment box? because i tried copy paste and it didn't work in that case but it works when i type it in manually

x3rz
5 months ago

Researcher


i am using brave browser can current version of online invoicing system

BigProf
5 months ago

OK, I tried manually typing the payload into the comment box (and also the address box), clicke Save .. no alerts :/ Here is a screencast of what I tried: https://cdn.bigprof.com/screencasts/xss-test.mp4

I checked the page source code again to see how the payload is stored and here it is: <textarea name="comments" id="comments" rows="5">&#039;&#039;&#039;&gt;svg/onload=prompt&#40;5&#41;&gt;&lt;br&gt;</textarea>

Could this be a bug in brave browser? Could you try Firefox or Chrome if possible?

BigProf
5 months ago

OK, I guess I was able to finally reproduce the issue after slightly modifying the payload to xss"'><img src=x onerror=alert()>

BigProf Software validated this vulnerability 5 months ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 5c122d 5 months ago
BigProf Software has been awarded the fix bounty