Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Feb 14th 2022
This is a vulnerability caused by incorrect patching of the vulnerability at https://huntr.dev/bounties/a465d272-35fc-4f9c-99f3-b89790c5ad1c/. For api /files/@id/@name, the application performed download action if the file was in svg format (https://github.com/Alanaktion/phproject/blob/master/app/controller/files.php#L272). However, with api /files/preview/@id, the svg file is still processed directly in the browser, leading to Stored XSS vulnerability.
Proof of Concept
- Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
- Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload svg file (id 24).
- Step 3: Visit URL https://demo.phproject.org/files/preview/24. You will see alert popup. Content of svg file:
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script>alert(origin) </script> </svg>
- PoC: https://drive.google.com/file/d/1mI6I2fQKOydiQALBqq-lru_MLJCig1Sq/view?usp=sharing