Alfresco 5.2.4 - Persistent Cross-Site Scripting

vendor:

Alfresco

by:

Romain LOISEL & Alexandre ZANNI

5.4

CVSS

MEDIUM

Persistent Cross-Site Scripting

CWE

Product Name: Alfresco

Affected Version From: Alfresco before 5.2.4

Affected Version To: 5.2.4

Patch Exists: YES

Related CWE: CVE-2020-8776, CVE-2020-8777, CVE-2020-8778

CPE: a:alfresco:alfresco

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Tested on: 5.2.4

2020

Alfresco 5.2.4 – Persistent Cross-Site Scripting

Each file has a set of properties than can be edited by any authenticated user that have write access on the project or the file. The URL property of the file provided by the user is injected in the href attribute of the HTML link without a proper escaping. On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the href attribute of a a tag. http:// is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that: <a target="_blank" href="http://" onmouseover="alert(document.cookie)" rel="noopener">http://" onmouseover="alert(document.cookie)">. It requires write privileges to store it, any user with read access can see it. There is no file restriction for photo uploading in the user profile page. Then the profile picture can be seen in the browser. The payload is injected in the src attribute of an img tag. It requires write privileges to store it, any user with read access can see it. The document preview feature is vulnerable to XSS. The payload is injected in the src attribute of an iframe tag. http:// is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that: <iframe src="http://" onmouseover="alert(document.cookie)" "=" ">. It requires write privileges to store it, any user with read access can see it.

Mitigation:

Ensure that user input is properly sanitized and escaped before being used in the application. Use a web application firewall to detect and block malicious requests.

Source

Exploit-DB raw data:

# Exploit Title: Alfresco 5.2.4 - Persistent Cross-Site Scripting
# Date: 2020-03-02
# Exploit Author: Romain LOISEL & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://www.alfresco.com/
# Software Link: https://www.alfresco.com/ecm-software
# Version: Alfresco before 5.2.4
# Tested on: 5.2.4
# CVE : CVE-2020-8776, CVE-2020-8777, CVE-2020-8778
# Security advisory: https://gitlab.com/snippets/1937042

### Stored XSS n°1 - Document URL - CVE-2020-8776 (found by Alexandre ZANNI)

Each file has a set of properties than can be edited by any authenticated user
that have write access on the project or the file.

The **URL** property of the file provided by the user is injected in the `href`
attribute of the HTML link without a proper escaping.

- Where? In URL property
- Payload: `" onmouseover="alert(document.cookie)"`
- Details: On the document explorer, the value is injected in a span tag. But on the detailed view of the file, it's inserted in the `href` attribute of a `a` tag. `http://` is prefixed before the payload provided by the user but can be bypassed. The generated vulnerable link will look like that:
```html
<a target="_blank" href="http://" onmouseover="alert(document.cookie)" "=" ">http://" onmouseover="alert(document.cookie)"</a>
```
- Privileges: It requires write privileges to store it, any user with read access can see it.
- Steps to reproduce:
1. Go to _Document Library_
2. Upload a file or click _Edit properties_ on an existing file
3. Enter the payload in the URL property
4. Click on the file title to go on the detailed page of the file
5. Hover the displayed link to trigger the XSS

### Stored XSS n°2 - User profile photo upload / Document viewing - CVE-2020-8777 (found by Alexandre ZANNI)

There is no file restriction for photo uploading in the user profile page.
Then the profile picture can be seen in the browser.

- Where? In user profile photo
- Payload:
```xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

### Stored XSS n°3 - Generic file upload / Document viewing - CVE-2020-8778 (found by Romain LOISEL)

This is the generic version of the previous XSS. Uploading dangerous file types
is allowed and then they can be viewed to triggered the XSS. The difference
between the two is that this one requires right access on a project to upload
documents so the XSS is not exploitable with a read only account but the
previous one can be exploited by any user as any user is allowed to have a
profile photo.

- Where? Uploading a document anywhere
- Payload: any file type that can store and execute a JavaScript payload (eg. HTML, SVG, XML, etc.)
- Details: The XSS is triggerred only with the _View in browser_ feature.
- Privileges: Any authenticated user with write access to a project can store it and any user that have read access to the file or project can trigger it.
- Steps to reproduce:
1. Go to a project dashboard
2. IClick _Upload_ and upload a dangerous file
3. Use the document browser or any dashboard to find the uploaded file
4. Click on the title to go to the detailed page of the file
5. On the right panel, click the _View in browser_ link to trigger the XSS (on load)