Cross-site Scripting (XSS) - Stored in e107inc/e107

Valid

Reported on

Jan 12th 2022


A Stored Cross-Site Scripting (XSS) using svg exists in e107 version 2.3.1

Date: 12/1/2022

Exploit Author: Trương Hữu Phúc

Contact me:

  • Github: https://github.com/truonghuuphuc
  • Facebook: https://www.facebook.com/DdosFulzac.auz1/
  • Email: phuctruong2k@gmail.com
  • Product: e107
  • Version: 2.3.1

Suggestions: I think should limit some file and check content file before upload.

File affect: https://github.com/e107inc/e107/blob/master/e107_admin/image.php#L2484

Proof of concept (POC):

  1. Login admin
  2. Manage -> Media Manager
  3. Create Category -> Image
  4. Upload a file -> from a remote location
  • File Report: https://drive.google.com/file/d/1OGf1zYt9xd_PTt_N08K4C8n1KhWDbBdl/view?usp=sharing
  • Video Poc: https://drive.google.com/file/d/1IGwsnC4iY_XMZ0BhreiF-_4I5-rUPWHv/view?usp=sharing
We are processing your report and will contact the e107inc/e107 team within 24 hours. 4 months ago
We have contacted a member of the e107inc/e107 team and are waiting to hear back 4 months ago
We have sent a follow up to the e107inc/e107 team. We will try again in 7 days. 4 months ago
Cameron
4 months ago

Maintainer


@truonghuuphuc Please test again with the github version.

Trương Hữu Phúc
4 months ago

Researcher


@Maintainer github version 2.3.2 have fix not allow file svg

Trương Hữu Phúc
4 months ago

Researcher


For version I can upload file.svg. I downloaded at this link https://sourceforge.net/projects/e107/files/v2.3.1/

Cameron
4 months ago

Maintainer


@truonghuuphuc Yes, this issue was already reported about v2.3.1 and v2.3.2 (on github) corrects the issue.

Trương Hữu Phúc
4 months ago

Researcher


@Maintainer did you specify cve for this problem ?

We have sent a second follow up to the e107inc/e107 team. We will try again in 10 days. 4 months ago
Cameron validated this vulnerability 4 months ago
Trương Hữu Phúc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Cameron confirmed that a fix has been merged on 90108e 4 months ago
Cameron has been awarded the fix bounty
Trương Hữu Phúc
4 months ago

Researcher


@admin Can you help me registration CVE ? Thank @admin

Jamie Slome
4 months ago

Admin


Before we can assign a CVE, we just need to confirm with the maintainer that they are happy to publish one.

Cameron, are you happy for a CVE to be published for this report? 🤝

to join this conversation