You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I am a security researcher, and with my friend Manthan(@netsectuna), We reviewed the application and discovered multiple vulnerabilities.
Stored XSS
Description - The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page.
Impact - Medium/High (depends on how the server profile is configured.. if ldap users and ldap admin both can login to ldap account manager, an ldap user can write save xss payloads to trigger tasks as admin)
Affected URL - http://<IP>/templates/profedit/profilepage.php
POC :
As an authenticated user navigate to the URL - http://<IP>/templates/profedit/profilemain.php
Create a new user profile for either user or group (editing profile will also work) and in description field add the XSS payload "><script>alert(document.domain)</script>< and save the profile.
Now whenever any authenticated user will edit this profile page, XSS payload will be triggered.
Arbitrary jpg/png file read
Description - The pdf editor tool has an edit pdf profile functionality, the logoFile parameter in it is not properly sanitized and an user can enter relative paths like ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png via tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present).
Impact - Low (Impact is low, due to highly unlikelihood of ldap admin knowing the locations of images having any sensitive/Personal information. One possible attack vector is to enumerate tools/software on the system by checking for icon images.. like in this POC we can verify the server has vim installed)
Affected URL - http://<IP>/templates/pdfedit/pdfpage.php
POC :
As an authenticated user navigate to the URL - http://<IP>/templates/pdfedit/pdfmain.php
Create a new pdf structure for either user or group (editing profile will also work)
With burpsuite proxy on, click on save. In burpsuite, replace the value of logoFile parameter to the path of image file, lets say ../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.png for the icon file of vim and forward the request.
Now while exporting pdf for a user if that POC profile is selected, the exported pdf will have the vim logo image.
We would have loved to fix these ourselves.... but cries bcz of bad dev skills.
The text was updated successfully, but these errors were encountered:
Hello..
I am a security researcher, and with my friend Manthan(@netsectuna), We reviewed the application and discovered multiple vulnerabilities.
Stored XSS




Description - The profile editor tool has an edit profile functionality, the parameters on this page are not properly sanitized and hence leads to stored XSS attacks. An authenticated user can store XSS payloads in the profiles, which gets triggered when any other user try to access the edit profile page.
Impact - Medium/High (depends on how the server profile is configured.. if ldap users and ldap admin both can login to ldap account manager, an ldap user can write save xss payloads to trigger tasks as admin)
Affected URL - http://<IP>/templates/profedit/profilepage.php
POC :
As an authenticated user navigate to the URL - http://<IP>/templates/profedit/profilemain.php
Create a new user profile for either user or group (editing profile will also work) and in description field add the XSS payload
"><script>alert(document.domain)</script><and save the profile.Now whenever any authenticated user will edit this profile page, XSS payload will be triggered.
Arbitrary jpg/png file read





Description - The pdf editor tool has an edit pdf profile functionality, the
logoFileparameter in it is not properly sanitized and an user can enter relative paths like../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.pngvia tools like burpsuite. Later when a pdf is exported using the edited profile the pdf icon has the image on that path(if image is present).Impact - Low (Impact is low, due to highly unlikelihood of ldap admin knowing the locations of images having any sensitive/Personal information. One possible attack vector is to enumerate tools/software on the system by checking for icon images.. like in this POC we can verify the server has vim installed)
Affected URL - http://<IP>/templates/pdfedit/pdfpage.php
POC :
As an authenticated user navigate to the URL - http://<IP>/templates/pdfedit/pdfmain.php
Create a new pdf structure for either user or group (editing profile will also work)
With burpsuite proxy on, click on save. In burpsuite, replace the value of logoFile parameter to the path of image file, lets say
../../../../../../../../../../../../../usr/share/icons/hicolor/48x48/apps/gvim.pngfor the icon file of vim and forward the request.Now while exporting pdf for a user if that
POCprofile is selected, the exported pdf will have the vim logo image.We would have loved to fix these ourselves.... but cries bcz of bad dev skills.
The text was updated successfully, but these errors were encountered: