Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS via SVG file Vulnerability on Bludit v3.14.1 #1509

Open
rahadchowdhury opened this issue Apr 14, 2023 · 0 comments
Open

Stored XSS via SVG file Vulnerability on Bludit v3.14.1 #1509

rahadchowdhury opened this issue Apr 14, 2023 · 0 comments

Comments

@rahadchowdhury
Copy link

Description:
I found Stored Cross-site scripting (XSS) vulnerability in your Bludit - Flat-File CMS (v3.14.1) on "General" settings to "Logo" field. When I send malicious code use svg file after then the browser give me result.

CMS Version:
v3.14.1

Affected URL:
http://127.0.0.1/bludit/admin/settings

Steps to Reproduce:

  1. First login your admin panel.
  2. then go to General settings and click logo section.

screenshot1

  1. Now open notepad and save this code with xss.svg name with extension

script

  1. Now upload this xss.svg file on logo section. So your request data will be:

POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Content-Type: multipart/form-data; boundary=---------------------------15560729415644048492005010998
Referer: http://127.0.0.1/bludit/admin/settings
Cookie: BLUDITREMEMBERUSERNAME=admin; BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985; BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i
Content-Length: 651

-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="tokenCSRF"

626c201693546f472cdfc11bed0938aab8c6e480
-----------------------------15560729415644048492005010998
Content-Disposition: form-data; name="inputFile"; filename="xss.svg"
Content-Type: image/svg+xml



-----------------------------15560729415644048492005010998--

screenshot3

  1. Now open logo image link that you upload. You will see XSS pop up.

screenshot2

Proof of Concept:
You can see the Proof of Concept. Which I've attached screenshots and video to confirm the vulnerability.

poc.mp4

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/

@rahadchowdhury rahadchowdhury changed the title Stored XSS Vulnerability on Bludit v3.14.1 Stored XSS using SVG file Vulnerability on Bludit v3.14.1 Apr 14, 2023
@rahadchowdhury rahadchowdhury changed the title Stored XSS using SVG file Vulnerability on Bludit v3.14.1 Stored XSS via SVG file Vulnerability on Bludit v3.14.1 Apr 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

1 participant