We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

/

Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021

Description

Have reviewed your fix for double URL encoding here:

https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949

But it can easily be bypassed by triple URL encoding.

Note: apparently after applying the above fix from Github on the machine, I cannot use the document_file_function to retrieve files anymore. But the backup_file_function still performs the same thing.

Proof of Concept

Ensure you applied https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949, then trigger XSS with:

http://10.0.2.15/admidio/adm_program/modules/backup/backup_file_function.php?job=get_file&filename=%25253c%252573%252563%252572%252569%252570%252574%25253e%252561%25256c%252565%252572%252574%252528%252531%252529%25253c%25252f%252573%252563%252572%252569%252570%252574%25253e3e

Impact

Possible to trick admin users to visit the malicious link, executing the XSS and allowing cookies to be stolen, it is also possible to execute actions as admin user via malicious Javascript.

Occurrences

documents_files_function.php L355

The problem is that url_decode is being called three times. And on the 3rd time there's no HTML checks

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

Markus Faßbender validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus Faßbender Markus

commented 2 years ago

Maintainer

Could you please review the latest implementation of the fix.

commented 2 years ago

Researcher

reviewed the fix. issue is solved!

Markus Faßbender Markus

commented 2 years ago

Maintainer

Thanks for the quick Review.

Markus Faßbender marked this as fixed with commit 01a83d 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

documents_files_function.php#L355 has been validated

Markus Faßbender Markus

commented 2 years ago

Maintainer

This is fixed with version 4.0.11 . Thanks for the research.

commented 2 years ago

Researcher

Np :)

to join this conversation

We have contacted a member of the admidio team and are waiting to hear back 2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

haxatron modified the report

2 years ago

Markus Faßbender validated this vulnerability 2 years ago

haxatron has been awarded the disclosure bounty

The fix bounty is now up for grabs

Markus Faßbender Markus

commented 2 years ago

Maintainer

Could you please review the latest implementation of the fix.

commented 2 years ago

Researcher

reviewed the fix. issue is solved!

Markus Faßbender Markus

commented 2 years ago

Maintainer

Thanks for the quick Review.

Markus Faßbender marked this as fixed with commit 01a83d 2 years ago

Markus Faßbender has been awarded the fix bounty

This vulnerability will not receive a CVE

documents_files_function.php#L355 has been validated

Markus Faßbender Markus

commented 2 years ago

Maintainer

This is fixed with version 4.0.11 . Thanks for the research.

commented 2 years ago

Researcher

Np :)

to join this conversation