Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Feb 14th 2022
This is a vulnerability caused by incorrect patching of the vulnerability at https://huntr.dev/bounties/a465d272-35fc-4f9c-99f3-b89790c5ad1c/. For api /files/@id/@name, the application performed download action if the file was in svg format (https://github.com/Alanaktion/phproject/blob/master/app/controller/files.php#L272). However, with api /files/preview/@id, the svg file is still processed directly in the browser, leading to Stored XSS vulnerability.
Proof of Concept
- Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
- Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload svg file (id 24).
- Step 3: Visit URL https://demo.phproject.org/files/preview/24. You will see alert popup. Content of svg file:
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script>alert(origin) </script> </svg>
- PoC: https://drive.google.com/file/d/1mI6I2fQKOydiQALBqq-lru_MLJCig1Sq/view?usp=sharing
We are processing your report and will contact the alanaktion/phproject team within 24 hours. a year ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. a year ago
Alan Hardman validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed in 1.7.13 with commit 58e4b5 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation