Cross-site Scripting (XSS) - Reflected in btcpayserver/btcpayserver

Valid

Reported on

Sep 6th 2021


✍️ Description

XSS payload is triggered during editing and saving text included near the payment button.

🕵️‍♂️ Proof of Concept

"><img src=x onerror=alert(225552) ~2F>

In the app, settings try editing already included product. drop the payload in the Buy Button Text and save it hence the payload will be triggered.

💥 Impact

Execution of custom javascript code

We have contacted a member of the btcpayserver team and are waiting to hear back a year ago
btcpayserver/btcpayserver maintainer
a year ago

Maintainer


I can't reproduce, can you give me the URL of an app with the injection?

Ajmal
a year ago

Researcher


It triggered during the rendering time of the payload, I will provide a POC video, that's why i have provided it as a reflected XSS

Ajmal
a year ago

Researcher


https://drive.google.com/file/d/1ghmdDK8auLVdg8nX_mAR_4LOYYRJixQH/view?usp=sharing

POC Video

Ajmal
a year ago

Researcher


i think its stored low level issue

Nicolas Dorier
a year ago

Maintainer


thanks, but I do not need, just that you copy/paste the url here.

Nicolas Dorier
a year ago

Maintainer


Or can you just create a new user, repro the bug and just give me the login/password?

Ajmal
a year ago

Researcher


https://mainnet.demo.btcpayserver.org/apps/4Mbmqj7aSgxw63Ej2okwzFioBvC3/settings/pos

  • click the edit button of green tea
  • try editing Buy Button Text
Ajmal
a year ago

Researcher


login /cred : beefee.pwn@gmail.com :password@1234

Nicolas Dorier
a year ago

Maintainer


Doesn't work for me, I use brave browser. Can you inject the javascript in the app so that when I open

https://mainnet.demo.btcpayserver.org/apps/4Mbmqj7aSgxw63Ej2okwzFioBvC3/pos

I can see an alert popup?

Ajmal
a year ago

Researcher


sir, I think it is reflected XSS that's the reason why you were not able to see the payload; can you please check the POC video it just takes only 20 seconds; Thanks for your continuous response.

Andrew
a year ago

Maintainer


Hi Ajmal, the backend validation prevents that scenario from saving and only you as the editor are seeing the JS execution.

Nicolas Dorier
a year ago

Maintainer


If we can repro the bug he is showing, we need to fix it, this is a vulnerability.

While the editor may execute javascript, when it is saved and page reloaded, the javascript should not execute anymore.

I saw the video, I tried to reproduce exactly the same steps and can't replicate it. Which browser do you use?

Nicolas Dorier
a year ago

Maintainer


I tried both with firefox and brave, coudn't reproduce. Can you copy/paste the "raw editor" after you managed to replicate it? Maybe if I copy this, I can replicate

Ajmal
a year ago

Researcher


then I will provide you, my raw editor data :

green tea:
  price: 1
  title: Green Tea
  description: "Lovely, fresh and tender, Meng Ding Gan Lu ('sweet dew') is grown in the lush Meng Ding Mountains of the southwestern province of Sichuan where it has been cultivated for over a thousand years."
  image: ~/img/pos-sample/green-tea.jpg
  custom: false
  buyButtonText: "><img src=x onerror=alert(225552) ~2F>

black tea:
  price: 1
  title: Black Tea
  description: "Tian Jian Tian Jian means 'heavenly tippy tea' in Chinese, and it describes the finest grade of dark tea. Our Tian Jian dark tea is from Hunan province which is famous for making some of the best dark teas available."
  image: ~/img/pos-sample/black-tea.jpg
  custom: false

rooibos:
  price: 1.2
  title: Rooibos
  description: "Rooibos is a dramatic red tea made from a South African herb that contains polyphenols and flavonoids. Often called 'African redbush tea', Rooibos herbal tea delights the senses and delivers potential health benefits with each caffeine-free sip."
  image: ~/img/pos-sample/rooibos.jpg
  custom: false

pu erh:
  price: 2
  title: Pu Erh
  description: "This loose pur-erh tea is produced in Yunnan Province, China. The process in a relatively high humidity environment has mellowed the elemental character of the tea when compared to young Pu-erh."
  image: ~/img/pos-sample/pu-erh.jpg
  custom: false

herbal tea:
  price: 1.8
  title: Herbal Tea
  description: "Chamomile tea is made from the flower heads of the chamomile plant. The medicinal use of chamomile dates back to the ancient Egyptians, Romans and Greeks. Pay us what you want!"
  image: ~/img/pos-sample/herbal-tea.jpg
  custom: true

fruit tea:
  price: 1.5
  title: Fruit Tea
  description: "The Tibetan Himalayas, the land is majestic and beautiful—a spiritual place where, despite the perilous environment, many journey seeking enlightenment. Pay us what you want!"
  image: ~/img/pos-sample/fruit-tea.jpg
  inventory: 5
  custom: true
Ajmal
a year ago

Researcher


i was tested this one in firefox, brave, and chromium.

Nicolas Dorier validated this vulnerability a year ago
Ajmal Aboobacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Dorier
a year ago

Maintainer


Thank you for this, I could finally reproduce!

Nicolas Dorier
a year ago

Maintainer


Tracking progress https://github.com/btcpayserver/btcpayserver/issues/2856

Ajmal
a year ago

Researcher


❤️️

Nicolas Dorier
a year ago

Maintainer


Fixed by https://github.com/btcpayserver/btcpayserver/pull/2863

Nicolas Dorier confirmed that a fix has been merged on fc4e47 a year ago
Nicolas Dorier has been awarded the fix bounty
Jamie Slome
a year ago

Admin


CVE published!

to join this conversation