Stored Cross Site Scripting (XSS) in snipe/snipe-it
Reported on
Oct 5th 2023
Description
The location endpoint is not sanitized which leads to the Stored Cross Site Scripting (XSS)
Proof of Concept
1. Login as a standard user [non-admin] > Asset page > List All
https://drive.google.com/file/d/1qymhc6sMe9EeS2bOe4CE2XTAbzFkgHao/view?usp=drive_link
2. Click to open any asset > Edit Asset
https://drive.google.com/file/d/14a5UoZ1K6KQgIp6xZq5JJZpBwuhVPbPS/view?usp=drive_link
3. Create new location and add the payload: <script>alert("Testing")</script> and save the asset
https://drive.google.com/file/d/1bUB94JO9EsbdZ1qbKVVHip2mARJ5Sp-W/view?usp=drive_link
https://drive.google.com/file/d/199_wIhmlvs6Zkx1Q-vJr8MjS9u0yB18o/view?usp=drive_link
4. Now login to the Admin account > Asset page > List All
https://drive.google.com/file/d/1ZoQXQhtWLlq4_Jqp2KesTNp73F3MnQro/view?usp=drive_link
5. Open the same asset of which you can change the location and the payload will get executed.
https://drive.google.com/file/d/18QXuJRZ0gh_wUegp5JI2EpK1g2jCF4CC/view?usp=drive_link
Video POC: https://drive.google.com/file/d/1ELndiBIkWu6nIfib2p-uXqsTALABC2F8/view?usp=sharing
# Impact
This vulnerability leads to JavaScript Code Execution.References
I don't really see how this is possible though. The code itself there shows:
php @can('superuser') <a href="{{ route('locations.show', ['location' => $asset->defaultLoc->id]) }}"> {{ $asset->defaultLoc->name }} </a> @else {{ $asset->defaultLoc->name }} @endcan
Nothing in there is un-escaped.
The video POC is already attached for your understanding: https://drive.google.com/file/d/1ELndiBIkWu6nIfib2p-uXqsTALABC2F8/view?usp=sharing
I also cannot reproduce this. Using your steps (the non-admin user needs to be able to edit assets and locations to be able to add new locations from that asset field at all.
No alert fires.
Do you have the debug-bar turned on? That will cause false positives when doing XSS testing. It's an artifact of the debugger itself, not of the Snipe-IT code.
I watched the video - I still cannot reproduce it though. I'd check to see whether you have APP_DEBUG=true and see the debug bar at the bottom of the screen.
The super admin can assign the rights to any admin account but the issue is that the input of the admin is affecting the super admin or vice versa (You can view that in the new POCs).
The debugging is never enabled as shared in the POC.
Video POC 2: https://drive.google.com/file/d/1N-17PdVdOczCcO2wXd7jISYr1oqljTdO/view?usp=sharing
Video POC 3: https://drive.google.com/file/d/1rKXE8YYokdFHEZkaqNUKMSY-93urHQx4/view?usp=sharing
The newly shared POC number 2 and 3 are also created the same method as of POC 1
I am still unable to duplicate this. Is this reproducible on the demo, and the POC 3 video doesn't show that alert XSS at all, it just shows as displayed on the page as escaped text, which would be expected behavior.
Payload of POC 3: <script>window.location.replace("http://google.com");</script>
As already stated in the impact this vulnerability could result in JavaScript Code Execution, so in POC 3 as you can see I have used the JavaScript payload window.location.replace which would result in the URL to the arbitrary website which in the case of POC 3 is google.com
As requested, it has been tested on the demo. The POC for the demo is: https://drive.google.com/file/d/1JEUIVMtJSvKrQGSKQ8npcfwZ2Guoyu0E/view?usp=sharing
We can confirm that we can reproduce this on our own development workstations as well. We're working on a fix. Thank you for your report!
SnipeIT team, can I get the CVE for my efforts and morivation?
The reason this was not able to reproduced is that it was not clarified that the "changed" column needs to be visible in order to trigger the error, as it was actually loading from the history tab.