Cross-site Scripting (XSS) - Stored in alanaktion/phproject

Valid

Reported on

Feb 14th 2022


Description

This is a vulnerability caused by incorrect patching of the vulnerability at https://huntr.dev/bounties/a465d272-35fc-4f9c-99f3-b89790c5ad1c/. For api /files/@id/@name, the application performed download action if the file was in svg format (https://github.com/Alanaktion/phproject/blob/master/app/controller/files.php#L272). However, with api /files/preview/@id, the svg file is still processed directly in the browser, leading to Stored XSS vulnerability.

Proof of Concept

  • Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
  • Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload svg file (id 24).
  • Step 3: Visit URL https://demo.phproject.org/files/preview/24. You will see alert popup. Content of svg file:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script>alert(origin)
  </script>
</svg>
  • PoC: https://drive.google.com/file/d/1mI6I2fQKOydiQALBqq-lru_MLJCig1Sq/view?usp=sharing

Impact

Stored XSS allow to execute javascript code in victim account.

We are processing your report and will contact the alanaktion/phproject team within 24 hours. 3 months ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back 3 months ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. 3 months ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. 3 months ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. 3 months ago
Alan Hardman validated this vulnerability 3 months ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman confirmed that a fix has been merged on 58e4b5 3 months ago
The fix bounty has been dropped
to join this conversation