Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in the "Share Video" section under "OrangeBuzz" via the GET/POST "createVideo[linkAddress]" parameter #1176

Closed
zerodaywolf opened this issue Mar 10, 2022 · 1 comment

Comments

@zerodaywolf
Copy link

Environment details
OrangeHRM version: 4.10
OrangeHRM source: Release build from Sourceforge or Git clone
Platform: Ubuntu
PHP version: 7.3.33
Database and version: MariaDB 10.3
Web server: Apache 2.4.52

If applicable:
Browser: Firefox

Describe the bug
In order to share a video, a user provides the URL in the "Share Video" feature under "Buzz". A GET request is then sent to the /symfony/web/index.php/buzz/addNewVideo endpoint with the url as a parameter. The application's backend then validates the url against a whitelist of domains and sends an appropriate response. If the domain in the url is in the whitelist, the application creates an iframe element and embeds the video link in it. The user then submits the post by clicking the "Save Video" button.

The "OrangeBuzz" page, including the newly posted video, is sent back in the response body. The initial whitelist based validation can be bypassed by sending a request, like the above, containing any arbitrary URL in the createVideo%5BlinkAddress%5D parameter. The value of this parameter is injected into the iframe's src attribute. Due to this, it is possible to inject the javascript: pseudo-protocol and gain arbitrary JavaScript execution in the browser of anyone who visits the "OrangeBuzz" page. For example, the string javascript:alert(document.domain) can be passed as the value of the createVideo%5BlinkAddress%5D parameter. When a user visits the OrangeBuzz page, the payload will be interpreted as JavaScript and get executed so an alert will pop-up with the domain hosting the application at that instance.

To Reproduce

  1. Login to the OrangeHRM application
  2. Navigate to "Buzz" > "Share Video"
  3. Paste any youtube.com video link
  4. Turn on Intercept in Burp Suite (or any other web proxy)
  5. Click on "Save video"
  6. Replace the value in the POST parameter createVideo%5BlinkAddress%5D to javascript:alert(document.domain) and click on "Forward" in Burp
  7. Turn off Intercept in Burp
  8. Navigate to "Buzz"
  9. Notice that an alert will pop-up with the Domain value of the application's server printed which means the payload we injected into the createVideo%5BlinkAddress%5D parameter is interpreted as valid Javascript and is executed.

Expected behavior
The value of the createVideo%5BlinkAddress%5D parameter is validated by the application's backend and an error is thrown.

What do you see instead:
The post gets uploaded successfully.

Screenshots
image
image

@samanthajayasinghe
Copy link
Member

Hi @vulf
This issue is fixed on v4.10.1
https://github.com/orangehrm/orangehrm/releases/tag/v4.10.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants