Stored XSS in neorazorx/facturascripts

Valid

Reported on

May 18th 2022


Description

Stored XSS in ListAgenciaTransporte module in facturascripts is triggered when clicking the scrolling middle mouse button.

Proof of Concept

1.Create a new non-admin account
2.Login and goto http://localhost/invoices/EditAgenciaTransporte
3.Add new user with website link to javascript:confirm(document.domain)
4.Save user and navigate to http://localhost/invoices/ and click on the website link of newly created user by using the scrolling middle mouse button.

Note

I see that there is a fix with this xss vulnerability by clicking the left mouse button here (https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/) but in this report, I can trick it by clicking the middle mouse button.

Impact

This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
KhanhCM
a month ago

Researcher


Hi @maintainer, can you please review my report? Thanks!

We have sent a follow up to the neorazorx/facturascripts team. We will try again in 7 days. a month ago
Carlos Garcia
a month ago

Maintainer


This bug was fixed here https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/

The researcher's credibility has decreased: -5
KhanhCM
a month ago

Researcher


Hi @maintainer,

This bug is not the same as in the other report https://huntr.dev/bounties/31aba7c9-edcf-44bf-9fd8-ca15d1fa53c8/ which use the left button mouse to click on the link.

Although the bug is stored XSS at the same place, the way to exploit it is different.

In my report, to exploit the bug, you must click on the link by using the middle scrolling button mouse. I have tested it on the newest release which is 2022.08 and it is still vulnerable.

You can read the reference in my report to know more about this technique, it's a type of bypass your fix in the previous report. (http://blog.dclabs.com.br/2021/05/the-curious-case-of-xss-and-mouse.html)

I hope that you will review it again, thank you!

Carlos Garcia
a month ago

Maintainer


I was unable to save javascript:confirm(document.domain) as url after the patch. But in case you had already saved them before the patch, with this other patch the link will not be generated when displaying the data -> https://github.com/NeoRazorX/facturascripts/commit/f3f8d437d55709eb61ef40677b9a9103fd18a953

Carlos Garcia
a month ago

Maintainer


I don't know how to proceed in these cases. It won't let me mark as valid anymore.

KhanhCM
a month ago

Researcher


Hi @admin, can you help the maintainer to edit the status of this report from duplicate to valid as he mentioned in the above comment?

Many thanks!

Jamie Slome
a month ago

Admin


@neorazorx - I have re-opened the report for you 👍 Feel free to update the report as you see fit :)

Carlos Garcia validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on f3f8d4 a month ago
The fix bounty has been dropped
Utils.php#L138-L146 has been validated
to join this conversation