Cross-site Scripting (XSS) - Stored in admidio/admidioValid
Oct 14th 2021
Hello, Looking at your project, I saw in the commits several anti-CSRF token addition but also a commit to not allow SVG file upload.
However a blacklist in general is a bad idea, for example
php3, ... are blocked but it is always possible to send a
.phps file ...
Among the extensions that are not blocked, there is also
From OWASP : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.
Proof of Concept
- On /adm_program/system/file_upload.php?module=documents_files&id=1 upload a file with
- Go to /adm_my_files/documents_test/test.html2 (Instead of going through the manager, we use the direct URL in order not to download the file as it would normally be the case)
- The file is opened and executed
In the version I'm using the anti-CSRF protection is not yet in place, but even with it, it would be possible to bypass it and perform malicious actions such as adding a new administrator.
I did not propose a fix with this report but I recommend to change this blacklist system by a whitelist system