Cross-site Scripting (XSS) - Stored in chevereto/chevereto-free
Reported on
Jul 17th 2021
✍️ Description
Stored xss via image upload
TESTED VESRION
latest github code as of 16/7/21
🕵️♂️ Proof of Concept
1. First download https://github.com/ranjit-git/poc/blob/master/xss%22'%3E%3Cimg%20src%3Dx%20onerror%3Dalert(123)%3E.jpeg image file in linux . Dont change the file name . This type file can be created in linux .
2. Now goto your account in chevereto http://localhost/Chevereto-Free/upload and upload above image .
3. Now image url will be genereated like http://localhost/Chevereto-Free/image/kwC .
4. When any user open this url then xss is executed .\
i have uploaded a demo file to https://demo.chevereto.com/image/eoYiV
Your paid version may also vulnerable to this attack
VIDEO POC
https://drive.google.com/file/d/1HlWbvYayzS3_hfpkIJGBk0pCHde8JgEF/view?usp=sharing
💥 Impact
XSS bug 📍 Location index.php#L18
Occurrences
- Using alleged file from cloned repo didn't trigger the issue under Ubuntu 20. (Chrome, Falkon, Firefox)
- Accessing to
http://REDACTED/Chevereto-Free/image/kwCdoesn't show any alert. We tested with many browsers, even on Windows. - We are unable to validate the POC.
Update: I've managed to trigger the issue by forcing the alleged XSS directly in the database. I've found that oembed was missing safe_html escaping when printing the value to HTML.
How can I re-open this?
Hey, we've fixed this. Where we can send the money?
We sponsor the payment on your behalf!
If you would like to contribute to the vulnerability research into this repository, we can also support this.
Just make sure to confirm the relevant patch as well, using the confirm fix button!