Cross-site Scripting (XSS) - Stored in bigprof-software/online-invoicing-system

Valid

Reported on

Jun 30th 2021


✍️ Description

There is a Stored XSS in the online invoicing system which could be exploited by any user who has permission to add a client. when a comment is added during the creation of a client by the user then due to improper sanitization XSS payload gets triggered.

🕵️‍♂️ Proof of Concept

Video POC:
https://drive.google.com/file/d/1g6if1zfpq9Wo5ASzSGztk_Xpuw6hpc7O/view?usp=sharing
Payload: '''><svg/onload=prompt(5)>

💥 Impact

Any user who has permission to add clients could steal admin or any user who can view clients.

We have contacted a member of the bigprof-software/online-invoicing-system team and are waiting to hear back 5 months ago
BigProf
5 months ago

The code you're linking to above is from an older release. Please confirm if this is applicable to the latest release. You reported a similar issue for the invoices page that I wasn't able to reproduce.

x3rz
5 months ago

Researcher


Same for this one sir I cloned the latest repo frok github and then tested the application Also as you said latest release i will download it from release section and then retest it and will let you know sir As per this report: Steps to reproduce:

Start the server Login into the user who has permission to make clients enter the given payload in the comment box save the client and you will see pop up

x3rz
5 months ago

Researcher


Hello, @maintainer I just check the latest version also the payload is getting executed with the same payload. Video POC from downloading the latest version to exploitation. https://drive.google.com/file/d/1Dbw5vSli6srWXgMcn2T4dFEGaNB-VvfJ/view?usp=sharing

x3rz
5 months ago

Researcher


@bigprof any updates?

x3rz
5 months ago

Researcher


@admin any updates?

BigProf
5 months ago

I tried testing this again on both the master commit and v5.0 ... I wasn't able to reproduce it still .. please see my latest comment on the thread https://www.huntr.dev/bounties/1625043502189-bigprof-software/online-invoicing-system/ as it's a very similar scenario. I do want to fix this issue, if it exists, but I just can't tell why your results differ from what I have on my side :/

x3rz
5 months ago

Researcher


yes can you try typing payload manually ? because it working on my side and I am using php7

BigProf
5 months ago

Here is what I tried .. no alert box: https://cdn.bigprof.com/screencasts/xss-test.mp4

BigProf Software validated this vulnerability 5 months ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
BigProf Software confirmed that a fix has been merged on 5c122d 5 months ago
BigProf Software has been awarded the fix bounty
x3rz
5 months ago

Researcher


Finally!! thank you for this and i have reported some vulnerabilities in online rental property management software please have a look and validate https://www.huntr.dev/bounties/1625331222863-bigprof-software/online-invoicing-system/ https://www.huntr.dev/bounties/1625330899924-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625284759984-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625284054254-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625281713530-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625280763977-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279905982-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279781154-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279711235-bigprof-software/online-rental-property-manager/ https://www.huntr.dev/bounties/1625279620358-bigprof-software/online-rental-property-manager/

BigProf
5 months ago

yep .. will check them later tonight. I need some fresh air now :D

x3rz
5 months ago

Researcher


Yes thank you again 😁