Cross-site Scripting (XSS) - Reflected in admidio/admidio

Valid

Reported on

Oct 18th 2021


Description

Have reviewed your fix for double URL encoding here:

https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949

But it can easily be bypassed by triple URL encoding.

Note: apparently after applying the above fix from Github on the machine, I cannot use the document_file_function to retrieve files anymore. But the backup_file_function still performs the same thing.

Proof of Concept

Ensure you applied https://github.com/Admidio/admidio/commit/6b3820a574dc5f52243fbaafdb7089560c99d949, then trigger XSS with:

http://10.0.2.15/admidio/adm_program/modules/backup/backup_file_function.php?job=get_file&filename=%25253c%252573%252563%252572%252569%252570%252574%25253e%252561%25256c%252565%252572%252574%252528%252531%252529%25253c%25252f%252573%252563%252572%252569%252570%252574%25253e3e

Impact

Possible to trick admin users to visit the malicious link, executing the XSS and allowing cookies to be stolen, it is also possible to execute actions as admin user via malicious Javascript.

Occurences

The problem is that url_decode is being called three times. And on the 3rd time there's no HTML checks

We have contacted a member of the admidio team and are waiting to hear back a month ago
We have contacted a member of the admidio team and are waiting to hear back a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
haxatron modified their report
a month ago
Markus Faßbender validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus
a month ago

Maintainer


Could you please review the latest implementation of the fix.

haxatron
a month ago

Researcher


reviewed the fix. issue is solved!

Markus
a month ago

Maintainer


Thanks for the quick Review.

Markus Faßbender confirmed that a fix has been merged on 01a83d a month ago
Markus Faßbender has been awarded the fix bounty
Markus
a month ago

Maintainer


This is fixed with version 4.0.11 . Thanks for the research.

haxatron
a month ago

Researcher


Np :)