Unrestricted XML Files Leads to Stored XSS in microweber/microweber

Valid

Reported on

Mar 12th 2022


Description

The web Application restricts upload files by blacklist extensions. It's not safe for the application to prevent the attack, there are many extension can cause an attack to user and web application. By uploading XML files, the users can perform an Stored XSS attack

Proof of Concept

[1.] User login with his credential at: https://demo.microweber.org/demo/admin/

[2.] Upload XML files which embed Javascript code on Module "Files" (https://demo.microweber.org/demo/admin/view:modules/load_module:files), this is the content of xml file:

<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.cookie)</x:script>

Payload Image

[3.] By click to view the xml file or access to the URL of this file, Attacker can execute the Javascript code.

XSS Image

XSS Image

Impact

If an attacker can control a script that is executed in the victim's browser, they might compromise that user, in this case, an admin, by stealing its cookies.

We are processing your report and will contact the microweber team within 24 hours. a year ago
thanhlocpanda modified the report
a year ago
thanhlocpanda modified the report
a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
thanhlocpanda has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 975fc1 a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation