Summary
In my recent security analysis of Group Office, I discovered a significant Stored Cross-Site Scripting (XSS) vulnerability. This flaw exists in the file upload functionality, specifically through the manipulation of filenames. The vulnerability allows malicious scripts to be executed, posing a serious threat to the integrity and confidentiality of the application.
Details
The vulnerability is present in the file upload mechanism of Group Office, version 6.8.28. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance, using a filename such as “><img src=x onerror=prompt('XSS')>.jpg” triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This suggests inadequate sanitization of filenames in the file upload process, leading to the execution of injected scripts.
PoC
To replicate this vulnerability:
1 . Prepare a file with a JavaScript payload in its name, like “><img src=x onerror=prompt('XSS')>.jpg”.
2 . Upload this file to the Group Office application.
3 . Observe that the JavaScript code executes, demonstrating the XSS vulnerability.
Impact
This vulnerability is classified as Stored XSS. It affects all users of the Group Office application who interact with the uploaded file containing the malicious script. The impact is significant as it compromises the security of user sessions and can lead to data theft, session hijacking, and other malicious activities.
Summary
In my recent security analysis of Group Office, I discovered a significant Stored Cross-Site Scripting (XSS) vulnerability. This flaw exists in the file upload functionality, specifically through the manipulation of filenames. The vulnerability allows malicious scripts to be executed, posing a serious threat to the integrity and confidentiality of the application.
Details
The vulnerability is present in the file upload mechanism of Group Office, version 6.8.28. It allows an attacker to execute arbitrary JavaScript code by embedding it within a file's name. For instance, using a filename such as “><img src=x onerror=prompt('XSS')>.jpg” triggers the vulnerability. When this file is uploaded, the JavaScript code within the filename is executed. This suggests inadequate sanitization of filenames in the file upload process, leading to the execution of injected scripts.
PoC
To replicate this vulnerability:
1 . Prepare a file with a JavaScript payload in its name, like “><img src=x onerror=prompt('XSS')>.jpg”.
2 . Upload this file to the Group Office application.
3 . Observe that the JavaScript code executes, demonstrating the XSS vulnerability.
Impact
This vulnerability is classified as Stored XSS. It affects all users of the Group Office application who interact with the uploaded file containing the malicious script. The impact is significant as it compromises the security of user sessions and can lead to data theft, session hijacking, and other malicious activities.