Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Oct 14th 2021


Description

Hello, Looking at your project, I saw in the commits several anti-CSRF token addition but also a commit to not allow SVG file upload.

However a blacklist in general is a bad idea, for example php, php3, ... are blocked but it is always possible to send a .php7 or .phps file ... Among the extensions that are not blocked, there is also .html2, this extension allows you to send a file with arbitrary content including Javascript to obtain a stored XSS.

From OWASP : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

  1. On /adm_program/system/file_upload.php?module=documents_files&id=1 upload a file with .html2 extension and HTML/Javascript content
  2. Go to /adm_my_files/documents_test/test.html2 (Instead of going through the manager, we use the direct URL in order not to download the file as it would normally be the case)
  3. The file is opened and executed

Impact

In the version I'm using the anti-CSRF protection is not yet in place, but even with it, it would be possible to bypass it and perform malicious actions such as adding a new administrator.

Remediation

I did not propose a fix with this report but I recommend to change this blacklist system by a whitelist system

We have contacted a member of the admidio team and are waiting to hear back a month ago
admidio/admidio maintainer
a month ago

Maintainer


Thanks for the hint. We will implement a whitelist check within the next version.

admidio/admidio maintainer validated this vulnerability a month ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
admidio/admidio maintainer
a month ago

Maintainer


This issue is fixed with version 4.0.10 which is just released. There we introduce a whitelist for file extensions.

Markus Faßbender confirmed that a fix has been merged on cb51a9 a month ago
Markus Faßbender has been awarded the fix bounty