Stored Cross Site Scripting (XSS) in snipe/snipe-it

Valid

Reported on

Oct 5th 2023


Description

The location endpoint is not sanitized which leads to the Stored Cross Site Scripting (XSS)

Proof of Concept

1. Login as a standard user [non-admin] > Asset page > List All

https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drive_link

2. Click to open any asset > Edit Asset

https://drive.google.com/file/d/14a5UoZ1K6KQgIp6xZq5JJZpBwuhVPbPS/view?usp=drive_link

3. Create new location and add the payload: <script>alert("Testing")</script> and save the asset

https://drive.google.com/file/d/1bUB94JO9EsbdZ1qbKVVHip2mARJ5Sp-W/view?usp=drive_link
https://drive.google.com/file/d/199_wIhmlvs6Zkx1Q-vJr8MjS9u0yB18o/view?usp=drive_link

4. Now login to the Admin account > Asset page > List All

https://drive.google.com/file/d/1ZoQXQhtWLlq4_Jqp2KesTNp73F3MnQro/view?usp=drive_link

5. Open the same asset of which you can change the location and the payload will get executed.

https://drive.google.com/file/d/18QXuJRZ0gh_wUegp5JI2EpK1g2jCF4CC/view?usp=drive_link



Video POC: https://drive.google.com/file/d/1ELndiBIkWu6nIfib2p-uXqsTALABC2F8/view?usp=sharing

# Impact

This vulnerability leads to JavaScript Code Execution.

References

We are processing your report and will contact the snipe/snipe-it team within 24 hours. 5 months ago
We have contacted a member of the snipe/snipe-it team and are waiting to hear back 5 months ago
snipe/snipe-it maintainer
5 months ago

I don't really see how this is possible though. The code itself there shows:

php @can('superuser') <a href="{{ route('locations.show', ['location' => $asset->defaultLoc->id]) }}"> {{ $asset->defaultLoc->name }} </a> @else {{ $asset->defaultLoc->name }} @endcan

Nothing in there is un-escaped.

Shahzaib
5 months ago

Researcher


The video POC is already attached for your understanding: https://drive.google.com/file/d/1ELndiBIkWu6nIfib2p-uXqsTALABC2F8/view?usp=sharing

Shahzaib Ali Khan modified the report
5 months ago
Shahzaib Ali Khan modified the report
5 months ago
snipe/snipe-it maintainer
5 months ago

I also cannot reproduce this. Using your steps (the non-admin user needs to be able to edit assets and locations to be able to add new locations from that asset field at all.

No alert fires.

Do you have the debug-bar turned on? That will cause false positives when doing XSS testing. It's an artifact of the debugger itself, not of the Snipe-IT code.

snipe/snipe-it maintainer
5 months ago

I watched the video - I still cannot reproduce it though. I'd check to see whether you have APP_DEBUG=true and see the debug bar at the bottom of the screen.

Shahzaib
5 months ago

Researcher


The super admin can assign the rights to any admin account but the issue is that the input of the admin is affecting the super admin or vice versa (You can view that in the new POCs).

The debugging is never enabled as shared in the POC.

Video POC 2: https://drive.google.com/file/d/1N-17PdVdOczCcO2wXd7jISYr1oqljTdO/view?usp=sharing

Video POC 3: https://drive.google.com/file/d/1rKXE8YYokdFHEZkaqNUKMSY-93urHQx4/view?usp=sharing

Shahzaib
5 months ago

Researcher


The newly shared POC number 2 and 3 are also created the same method as of POC 1

snipe/snipe-it maintainer
5 months ago

I am still unable to duplicate this. Is this reproducible on the demo, and the POC 3 video doesn't show that alert XSS at all, it just shows as displayed on the page as escaped text, which would be expected behavior.

Shahzaib
5 months ago

Researcher


Payload of POC 3: <script>window.location.replace("http://google.com");</script>

As already stated in the impact this vulnerability could result in JavaScript Code Execution, so in POC 3 as you can see I have used the JavaScript payload window.location.replace which would result in the URL to the arbitrary website which in the case of POC 3 is google.com

As requested, it has been tested on the demo. The POC for the demo is: https://drive.google.com/file/d/1JEUIVMtJSvKrQGSKQ8npcfwZ2Guoyu0E/view?usp=sharing

snipe/snipe-it maintainer
5 months ago

We can confirm that we can reproduce this on our own development workstations as well. We're working on a fix. Thank you for your report!

snipe/snipe-it maintainer validated this vulnerability 5 months ago
shahzaibak96 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Shahzaib
5 months ago

Researcher


SnipeIT team, can I get the CVE for my efforts and morivation?

snipe/snipe-it maintainer
5 months ago

The reason this was not able to reproduced is that it was not clarified that the "changed" column needs to be visible in order to trigger the error, as it was actually loading from the history tab.

snipe/snipe-it maintainer gave praise 5 months ago
Thank you for reporting this. It has been fixed.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
snipe/snipe-it maintainer marked this as fixed in v6.2.2 with commit eea2ea 5 months ago
snipe has been awarded the fix bounty
This vulnerability has now been published 5 months ago
Shahzaib
5 months ago

Researcher


Thank you so much

to join this conversation