Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021


Description

Have reviewed your fix for double URL encoding here:

https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949

But it can easily be bypassed by triple URL encoding.

Note: apparently after applying the above fix from Github on the machine, I cannot use the document_file_function to retrieve files anymore. But the backup_file_function still performs the same thing.

Proof of Concept

Ensure you applied https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949, then trigger XSS with:

http://10.0.2.15/admidio/adm_program/modules/backup/backup_file_function.php?job=get_file&filename=%25253c%252573%252563%252572%252569%252570%252574%25253e%252561%25256c%252565%252572%252574%252528%252531%252529%25253c%25252f%252573%252563%252572%252569%252570%252574%25253e3e

Impact

Possible to trick admin users to visit the malicious link, executing the XSS and allowing cookies to be stolen, it is also possible to execute actions as admin user via malicious Javascript.

Occurrences

The problem is that url_decode is being called three times. And on the 3rd time there's no HTML checks

We have contacted a member of the admidio team and are waiting to hear back a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
Markus Faßbender validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus
a year ago

Maintainer


Could you please review the latest implementation of the fix.

haxatron
a year ago

Researcher


reviewed the fix. issue is solved!

Markus
a year ago

Maintainer


Thanks for the quick Review.

Markus Faßbender confirmed that a fix has been merged on 01a83d a year ago
Markus Faßbender has been awarded the fix bounty
Markus
a year ago

Maintainer


This is fixed with version 4.0.11 . Thanks for the research.

haxatron
a year ago

Researcher


Np :)

to join this conversation