Stored XSS in kiwitcms/kiwi
Jun 24th 2023
The application contains a stored XSS vulnerability, which allows an attacker to inject and execute malicious scripts within the application. The vulnerability occurs due to improper input validation and output encoding mechanisms, which fail to adequately sanitize and encode user-generated content.
Proof of Concept:
1- Create a new test plan (e.g., "plan1") as a parent plan within the application.
2- Create another test plan (e.g., "plan2"), specifically for uploading a payload. Utilize the "Attachments" feature of "plan2" to upload a file containing an XSS payload. Upon successful upload, a path will be generated for the uploaded file (e.g., "http://localhost/uploads/attachments/testplans_testplan/2/xss.j"). Make sure to copy this path for later use.
3- Create a new test (e.g., "plan3") with the following name:
<script src=/uploads/attachments/testplans_testplan/2/xss.js"></script>. Additionally, specify the parent ID of "plan3" as the ID of "plan1" and save the test.
4- Access the URL of "plan1" or "plan3" within the application.
5- As a result of the vulnerability, the XSS payload injected through the test name will be executed within the application, potentially leading to malicious actions.
POC video: https://youtu.be/7_RxyZYcKxw
Stored XSS (Cross-Site Scripting) vulnerability can have significant impacts on the security of a web application. In simple terms, it allows attackers to inject malicious code into the application's storage, which then gets displayed to other users visiting the affected page. This can lead to various harmful consequences, such as the execution of unauthorized actions on behalf of the user, stealing sensitive information like login credentials or personal data, manipulating website content, or even spreading phishing attacks. Essentially, it puts users at risk of having their browsers execute malicious scripts without their knowledge or consent, making it crucial to address this vulnerability promptly to ensure the safety of users and protect the integrity of the application.