Zenario 9.7 (9.7.61188) : Malicious File Upload (XSS in PDF) (CVE-2024–45960)
Description:
# An Issue is discovered in Zenario 9.7 (9.7.61188)
# We have discovered a vulnerability that allows authenticated admin users to upload PDF files containing malicious code (Stored Cross-Site Scripting) into the target system. If the PDF file is accessed through the website, it can trigger a Cross-Site Scripting (XSS) attack.
Affected Component:
Payload:
%PDF-1.7
1 0 obj
<</Pages 1 0 R /OpenAction 2 0 R>>
2 0 obj
<</S /JavaScript /JS (app.alert('xss test'))
>> trailer <</Root 1 0 R>>
Proof of Concept:
First, login to the target application with admin.
Select “Go to Organizer” and click “Continue”.
Select “Libraty” menu.
Select “Hierarchical documents”.
Then select “Upload documents” for upload pdf file to the target.
Then follow this step.
- Click “Upload…” and select file for upload to the target.
- Select “Public” for create document to public.
- Click “Save”. for save document to the target.
Success upload pdf malicious file to the target.
Then follow this step.
- Click “Modules” menu.
- Select “Modules” sub menu.
Then found “Document Container” module has status is “Running”.
*If the “Document Container” module is found to be “Uninitialised” select the “Document Container” module and click “Start module.”
Then select icon to “View this module’s plugins”.
Select “+Create a plugin” button for create new plugin.
Then follow this step.
- Create plugin name.
- Click “Select…” and choose pdf file need to add on plugin.
- Select malicious pdf file (xss-on-pdf.pdf) that was uploaded in the previous step.
- Click “Choose”.
- Check up “Show a View button”.
- Click “Save” for create new plugin.
Create new plugin success.
Then select icon “Back to Home Page”.
Then select “Tools” menu for edit web page.
Choose eye icon for show empty slot on web page.
Then looking for empty slot on web page and follow this step.
- Choose slot inspector icon.
- Select “Insert a plugin..” menu.
Click “Make a draft”.
Then select plugin in “Document Container” module.
Select plugin follow this step.
- Choose “PDF Document Container” plugin.
- Click “Insert plugin”.
After insert plugin successfully, will be found pdf file and view button on the web page.
Then click “Publish” button for publish new content on the web application.
Then follow this step.
- Select “Publish”.
- Click “Publish”.
Finally, malicious pdf file appear on the target web application and click “View” button for open pdf file.
The XSS payload will run immediately.
Author:
Grim The Ripper Team by SOSECURE Thailand.