Headline
CVE-2020-23647: Multiple XSS Vulnerabilities · Issue #596 · boxbilling/boxbilling
Cross Site Scripting (XSS) vulnerability in BoxBilling 4.19, 4.19.1, 4.20, and 4.21 allows remote attackers to run arbitrary code via the message field on the submit new ticket form.
There are multiple XSS vulnerabilities (support ticket, forum topics, and guest inquiries mentioned in #526 ). In this issue, I would demonstrate the Stored XSS that exists in a support ticket!
Method to reproduce :
1- Go to support and click on create a ticket
3- In the message field enter <script>alert(‘test’);</script>
4- Click on Submit
💻 Technical Description *
if we look in src/bb-modules/Support/html_client file we do find the following javascript code which is responsible for making the API request. The javascript serialize the input fields and send a post request to example.com/index.php?_url=/api/client/support/ticket_create
<script type="text/javascript">
$(function() {
$('#ticket-submit').bind('submit',function(event){
$('.wait').show();
bb.post(
'client/support/ticket_create',
$(this).serialize(),
function(result) {
bb.redirect('{{ 'support/ticket'|link }}' + '/' + result);
}
);
return false;
});
The request is received by ticket_create function in /src/bb-modules/Support/Api/Client.php. The only check in this function exists is for the required parameters.
public function ticket_create($data) { $required = array( ‘content’ => 'Ticket content required’, ‘subject’ => 'Ticket subject required’, ‘support_helpdesk_id’ => 'Ticket support_helpdesk_id required’, ); $this->di[‘validator’]->checkRequiredParamsForArray($required, $data);
$helpdesk = $this\->di\['db'\]->getExistingModelById('SupportHelpdesk', $data\['support\_helpdesk\_id'\], 'Helpdesk invalid');
$client = $this\->getIdentity();
return $this\->getService()->ticketCreateForClient($client, $helpdesk, $data);
}
Once it verifies that the provided data contains the required parameters, it combine the request with client identity and helpdesk id and sends its request to ticketCreateForClient function in src/bb-modules/support/service.php
… … $ticket = $this->di[‘db’]->dispense(‘SupportTicket’); $ticket->client_id = $client->id; $ticket->subject = $data[‘subject’]; $ticket->support_helpdesk_id = $helpdesk->id; $ticket->created_at = date(‘Y-m-d H:i:s’); $ticket->updated_at = date(‘Y-m-d H:i:s’);
// related task with ticket
$ticket\->rel\_id = $rel\_id;
$ticket\->rel\_type = $rel\_type;
$ticket\->rel\_task = $rel\_task;
$ticket\->rel\_new\_value = $rel\_new\_value;
$ticket\->rel\_status = $rel\_status;
$ticketId = $this\->di\['db'\]->store($ticket);
$this\->messageCreateForTicket($ticket, $client, $data\['content'\]);
… }
It stores the subject and other ticket info in support_ticket table in database and sends the content to messageCreateForTicket function.
public function messageCreateForTicket(\\Model\_SupportTicket $ticket, $identity, $content)
{
$msg = $this\->di\['db'\]->dispense('SupportTicketMessage');
$msg\->support\_ticket\_id = $ticket\->id;
if ($identity instanceof \\Model\_Admin) {
$msg\->admin\_id = $identity\->id;
} elseif ($identity instanceof \\Model\_Client) {
$msg\->client\_id = $identity\->id;
} else {
throw new \\Box\_Exception('Identity is not valid');
}
$msg\->content = $content;
$msg\->ip = $this\->di\['request'\]->getClientAddress();
$msg\->created\_at = date('Y-m-d H:i:s');
$msg\->updated\_at = date('Y-m-d H:i:s');
return $this\->di\['db'\]->store($msg);
}
The function basically stores the content value (which is the ticket body) in support_ticket_message table in the database!
which makes it stored cross-site scripting
Reposting this from my original account
OLD Post Issue#526