Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS via Image File #6471

Closed
rahadchowdhury opened this issue Apr 16, 2023 · 4 comments · Fixed by #7055
Closed

XSS via Image File #6471

rahadchowdhury opened this issue Apr 16, 2023 · 4 comments · Fixed by #7055
Assignees
@DawoudIO
Labels
good first issue Indicates a good issue for first-time contributors Security
Milestone
5.9.0

Comments

@rahadchowdhury
Copy link

If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.

On what page in the application did you find this issue?

I got issue CSVImport.php page.

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?

Windows Server

What browser (and version) are you running?

Brave browser [Version 1.50.119 Chromium: 112.0.5615.121]

What version of PHP is the server running?

7.4.29

What version of SQL Server are you running?

Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29

What version of ChurchCRM are you running?

v4.5.4

Description:
I found Cross site scripting (XSS) vulnerability in your ChurchCRM (v4.5.4) "Admin" menu to CSV Import page there Import data CSV uploader option. When I upload image file there malicious code inserted in image then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version:
v4.5.4

Affected URL:
http://127.0.0.1/churchcrm/CSVImport.php

Steps to Reproduce:

  1. First login your admin panel.
  2. Then click "Admin" menu and click "CSV Import" and you will get CSV file uploder option.

screenshot1

  1. now insert xss payload in jpg file using exiftool or from image properties.

screenshot2

  1. after then upload the jpg file.
  2. you will see XSS pop up.

screenshot3

Proof of Concept:
You can see the Proof of Concept. Which I've attached screenshots and video to confirm the vulnerability.

poc.mp4

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/
@DawoudIO DawoudIO self-assigned this Oct 22, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Nov 21, 2023
@DAcodedBEAT DAcodedBEAT removed the Stale label Nov 21, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Dec 22, 2023
@DAcodedBEAT DAcodedBEAT removed the Stale label Dec 22, 2023
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Jan 22, 2024
@DAcodedBEAT DAcodedBEAT removed the Stale label Jan 24, 2024
@github-actions GitHub Actions
Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the Stale label Feb 23, 2024
@DAcodedBEAT DAcodedBEAT removed the Stale label Mar 7, 2024
@DAcodedBEAT DAcodedBEAT added the good first issue Indicates a good issue for first-time contributors label Apr 2, 2024
@DAcodedBEAT DAcodedBEAT added this to the vNext (5.8.0) milestone Apr 15, 2024
DAcodedBEAT added a commit that referenced this issue May 26, 2024
@DAcodedBEAT
remove stored XSS from CSVImport.php (#6471)
f1ae766
@DAcodedBEAT DAcodedBEAT mentioned this issue May 26, 2024
Merged
1 task
DAcodedBEAT added a commit that referenced this issue May 27, 2024
@DAcodedBEAT
Fix assorted security issues (#7055)
2d894bc 
# Description & Issue number it closes 

Fixed assorted security issues reported via Github issues or static
analysis tooling.

Closes #6471
Closes #6848 
Closes #6853

## Type of change

- [x] Bug fix (non-breaking change which fixes an issue)
respencer pushed a commit to respencer/ChurchCRM that referenced this issue May 27, 2024
@DAcodedBEAT @respencer
remove stored XSS from CSVImport.php (ChurchCRM#6471)
a01fcdb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DawoudIO DawoudIO

Labels
good first issue Indicates a good issue for first-time contributors Security
Projects
None yet
Milestone
5.9.0
Development

Successfully merging a pull request may close this issue.

Fix assorted security issues ChurchCRM/CRM
3 participants
@DawoudIO @DAcodedBEAT @rahadchowdhury