Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

Nov 27th 2021


Description

I found XSS in the file upload function of the message function.

Proof of Concept

Step

1.First, access the latest version of the demo environment. "Https://www.rosariosis.org/demonstration/index.php"

2.Then log in with your student account. Student: username and password “student“

3.After logging in, access "MESSAGING > Write" from the menu on the left. (/demonstration/Modules.php?modname=Messaging/Write.php)

4.Then enter the title and message as appropriate.

5.Now upload the SVG file containing XSS to "File Attached".

6.Finally, select "Teach Teacher" as the destination and send.

7.Log in from here with your teacher's account. Teacher: username and password “teacher“

8.After logging in, access "MESSAGING > Messages" from the menu and select the message you just sent.

9.Then click on the last attached file and a pop-up screen will appear.

Summary

-Endpoint: POST /demonstration/Modules.php?modname=Messaging/Write.php&search_modfunc=list&recipients_key=staff_id&subject=<title>&message=<message>&recipients_ids[0]=2&send=Send

-Attachment: SVG file

-Test Payload: <script type="text/javascript">alert(document.cookie)</script>

Impact

This vulnerability can steal a user's cookie.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. 6 months ago
morioka12 modified the report
6 months ago
François
a month ago

Maintainer


Hello @scgajge12

Thank you very much for your report. SVG upload has been disabled for now. I may introduce SVG sanitize routine in the future.

François Jacquet validated this vulnerability a month ago
morioka12 has been awarded the disclosure bounty
The fix bounty is now up for grabs
François Jacquet confirmed that a fix has been merged on dcd3b8 a month ago
François Jacquet has been awarded the fix bounty
to join this conversation