• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

Cross-site scripting in error message return when uploading duplicate image

K

KietNA

Chevereto Noob
#KietNA From Inv1cta Team, HPT Cyber Security Center

Describe the bug

The error message does not sanitizer output, when Authenticated user upload duplicate image, the javascript code will be executed

Reproduction steps
  1. Insert malicious script into name of image
  2. Login account User1 and upload that image to server
  3. When another user upload that image again, the application will return Duplicate upload and execute javascript code
User KietNA upload file to server
h6dvMEl.png


The file was successfully uploaded
dP9b66D.png



Signin user Test and upload that image again, the script will be executed
ZWS1DOx.png



aXbfWcF.png
 
Thank you for reporting, this doesn't mean any security vulnerability to the system.

This is not an XSS because the string is not stored, it only affects the user trying to upload an image with an XSS payload in its name. By doing this you can't cause any damage as to trigger that you would require to inject the malicious code into another user request (as load image + code to steal cookie, session, etc) but as it doesn't happen, this is not an XSS.

You see an alert because the XSS is interpreted on the thumb just loaded, but it won't be possible to inject this code to other user.

I will patch this for the paid edition. You can check it working now on the demo.
 
Rodolfo said:
Thank you for reporting, this doesn't mean any security vulnerability to the system.

This is not an XSS because the string is not stored, it only affects the user trying to upload an image with an XSS payload in its name. By doing this you can't cause any damage as to trigger that you would require to inject the malicious code into another user request (as load image + code to steal cookie, session, etc) but as it doesn't happen, this is not an XSS.

You see an alert because the XSS is interpreted on the thumb just loaded, but it won't be possible to inject this code to other user.

I will patch this for the paid edition. You can check it working now on the demo.
Click to expand...
Thanks for your reply,
In this case, it was called self-xss, so the attacker can phising user to upload an image with a script attached as shown in the image. By the way, thanks for your comment, I will try to find vulnerabilities with a higher impact
 
You must log in or register to reply here.
Back
Top