Cross-site Scripting (XSS) - Stored in cortezaproject/corteza-server

Valid

Reported on

Jun 10th 2021


💥 BUG

Stored xss bug using file upload against admin .

💥 TESTED VERSION

v2021.3.6

💥 IMPACT

lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account .
Thus lower level user can execute arbitary javascript in admin account using this xss and can change his role .

💥 STEP TO REPRODUCE

1. First from admin goto http://localhost:18080/admin/system/user and add a new user called user B .
Now give this user crm permission so that user B can create Notes .

2. Now goto user B account and create a Notes . Now upload svg file https://github.com/ranjit-git/poc/raw/master/evilsvgfile.svg to this notes.
So, now download link of uploaded file will be like http://localhost:18080/api/compose/namespace/234475729176375299/attachment/record/235004074443943939/original/evilsvgfile.svg?sign=ad604bd71d5f3b826318d56dba83b03dad0bb3b5&userID=234476336394022915&download=1 .
Here in this url remove the last parameter download=1 . So now file link will be like http://localhost:18080/api/compose/namespace/234475729176375299/attachment/record/235004074443943939/original/evilsvgfile.svg?sign=ad604bd71d5f3b826318d56dba83b03dad0bb3b5&userID=234476336394022915.
Open this link and see xsss is executed.
now sent this link to admin .

  1. Now when admin open this link then xss is executed under admin account .

💥 VIDEO POC

https://drive.google.com/file/d/1DAIGYMuxyFD7CSmhbGxbinX4BTKgXHYK/view?usp=sharing

STUDY

https://owasp.org/www-community/attacks/xss/
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

ranjit-git modified the report
a year ago
Z-Old
a year ago

Admin


Hey @ranjit-git, I've just emailed the corteza-server maintainer and am waiting to hear back. Good job!

Tomaž Jerman
a year ago

Maintainer


Hi, apologies for the delay. The issue is confirmed and the patch is prepared. @Ziding Zhang how can I approve the issue, but keep it private?

Jamie Slome
a year ago

Admin


@Tomaz, once the report has been validated AND patched, it is made public. So if you mark it as valid, it will still remain private.

Tomaž Jerman validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
Tomaž Jerman confirmed that a fix has been merged on af0563 a year ago
The fix bounty has been dropped
Z-Old
a year ago

Admin


Thanks Tomaž! Any reason that you wished not to claim the fix bounty? Your feedback would be much appreciated, thanks 🙏

to join this conversation