• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space
  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

XSS in installation script

Seongil Wi

Seongil Wi

Chevereto Noob
Hi,

Our research team in KAIST WSP Lab found a reflected vulnerability in chevereto-free (https://github.com/Chevereto/Chevereto-Free).
I post this thread to report the found bug

- Description: An reflected XSS vulnerability was identified in the ready.php page in the installation process due to insufficient sanitization of the $_POST['username'] variable. As a result, arbitrary Javascript code can get executed.

▶ Reproduction steps
  1. Install the Chevereto until the ready status (after connection with DB. Note that when we install the app with Docker compose, we can go to the ready state directly)
  2. Access to the http://[localhost]/install using post request with username parameter. The value of the parameter should be hihi"><script>alert(1)</script>
😢 Unexpected result

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.


📃 Error log message
1618367624520.png
1618367650886.png
 
I believe that attackers will be able to do several malicious acts including but not limited to phishing, temporary deface, DoS, browser key-logger and others.
 
No, it won't cause that. The username parameter is only used when installing the software from scratch. Once the software gets installed the username field for /install is not handled at all.
 
No longer an issue, also I took care of updating the design in that view.

1618501574167.png
 
You must log in or register to reply here.
Back
Top