Cross-site Scripting (XSS) - Stored in alanaktion/phproject
Valid
Reported on
Feb 14th 2022
Description
This is a vulnerability caused by incorrect patching of the vulnerability at https://huntr.dev/bounties/a465d272-35fc-4f9c-99f3-b89790c5ad1c/. For api /files/@id/@name, the application performed download action if the file was in svg format (https://github.com/Alanaktion/phproject/blob/master/app/controller/files.php#L272). However, with api /files/preview/@id, the svg file is still processed directly in the browser, leading to Stored XSS vulnerability.
Proof of Concept
- Step 1: Create issue in https://demo.phproject.org/issues/new with demo account.
- Step 2: In issue 13 (https://demo.phproject.org/issues/13), upload svg file (id 24).
- Step 3: Visit URL https://demo.phproject.org/files/preview/24. You will see alert popup. Content of svg file:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script>alert(origin)
</script>
</svg>
- PoC: https://drive.google.com/file/d/1mI6I2fQKOydiQALBqq-lru_MLJCig1Sq/view?usp=sharing
Impact
Stored XSS allow to execute javascript code in victim account.
We are processing your report and will contact the
alanaktion/phproject
team within 24 hours.
a year ago
We have contacted a member of the
alanaktion/phproject
team and are waiting to hear back
a year ago
We have sent a
follow up to the
alanaktion/phproject
team.
We will try again in 7 days.
a year ago
We have sent a
second
follow up to the
alanaktion/phproject
team.
We will try again in 10 days.
a year ago
We have sent a
third and final
follow up to the
alanaktion/phproject
team.
This report is now considered stale.
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation