# Alfresco Stored XSS Vulnerability

Blind Stored XSS in Alfresco Enterprise 5.2.4

Description:

Alfresco allows users to upload documents that are being saved in the alfresco portal, an attacker can upload a .html with malicious JavaScript which then executes on the Alfresco portal. During the assessment, we were able to execute blind stored cross-site scripting on the Alfresco portal which contains sensitive documents.

Risk:

A remote attacker can steal the victim’s credentials by sending a keylogger JavaScript. Also, phishing attacks can be performed by changing the content in the .html file which is being executed in the browser. This allows an attacker to perform any action in Alfresco as the logged-in user. Additionally, the following attack scenarios are possible:
By showing a new login screen the user’s credentials can be hijacked.
By adding JavaScript an attacker can redirect a victim to malicious websites.

Below is the POC for the Stored Cross-site scripting:

Malicious HTML file uploaded by a remote attacker in the Alfresco portal:


Cross-site scripting (XSS) is triggered in the Alfresco portal as the victim clicks on "view in browser" tab.



Another example of a phishing page by modifying the content in the HTML page.



Thank you for reading!

Comments

Post a Comment

Popular posts from this blog

Image
Reflected XSS in Documentum D2 Documentum D2 version 4.6 is vulnerable to multiple reflected XSS via improper sanitization of error pages. This bug was reported by Vipin Chaudhary and a CVE ID: CVE-2018-7660 has been assigned to it. Steps to reproduce: 1. While throwing error pages if an attacker try to add malicious javascript in the URL then it results into Reflected XSS 2. Below URLs are the example for the attack: http://x.x.x.x:8082/D2/servlet/Download?uid=edms-1519634386637-test_fin_user2-55580492&_docbase=edms&_username=test_fin_user2eyf41%3cscript%3ealert(1)%3c%2fscript%3efr89o&_password=DM_TICKET%3DT0JKIE5VTEwgMAoxMwp2ZXJzaW9uIElOVCBTIDAKMwpmbGFncyBJTlQgUyAwCjkKc2VxdWVuY2VfbnVtIElOVCBTIDAKMjkzMzkKY3JlYXRlX3RpbWUgSU5UIFMgMAoxNTE5NjM0ODYzCmV4cGlyZV90aW1lIElOVCBTIDAKMTUxOTYzNTc2Mwpkb21haW4gU1RSSU5HIFMgMApBIDE1IGFlYWR2c3MwMzAtdGVzdAp1c2VyX25hbWUgU1RSSU5HIFMgMApBIDE3IHRlc3RfZmluX2FwX3VzZXIyCnBhc3N3b3JkIFNUUklORyBTIDAKQSA3NyBETV9FTkNSX1RFWFQ9M3Ryb
Read more
Image
Stored XSS in Documentum D2 Documentum D2 version 4.6 is vulnerable to Stored XSS by HTML encoded value of a XSS payload to bypass the protection. This bug was reported by Vipin Chaudhary and a CVE ID: CVE-2018-7659 has been assigned to it. Steps to reproduce: 1. Login with your credentials in documentum d2 2. Go to import and upload any image file 3. then go to properties and click edit to change the document name 4. Now put "><img src=x onerror=alert(1) as the document name which is the HTML encoded value for XSS payload 5. As it gets saved in the portal, it will trigger the Stored XSS. PoC:
Read more