Vtiger CRM versions prior to 6.2 are vulnerable to stored XSS in the Documents module due to insufficient file upload validation and the absence of the X-Content-Type-Options: nosniff header.
The function responsible for uploading files is uploadAndSaveFile (Line 120 Vtiger 6.1 in CRMEntity.php).
This function first checks that the file does not have a blacklisted extension; if it does, the extension is replaced with .txt.
Then the function decideFilePath() is used to determine the path where the file will be saved.
This function calls another function named initStorageFileDirectory.
The file name is clearly predictable but as we will see later, there is no need to guess it because the path will be visible in the client-side.
Finally the file is uploaded to the server with a unique ID appended to the path name.
The problem with this function lies in the fact that the extension check is based on a blacklist, which allows an attacker to upload a file with any extension not included in the blacklist.
When a browser encounters a file with a non-standard extension it analyzes the file’s content to determine its type.
This process is known as MIME Sniffing.
For more information about this attack: MIME Sniffing in Browsers and the Security Implications | Coalfire.
So, if an attacker uploads a file named like nonsensefile.nonsenseext that contains JavaScript code it will be executed by the browser causing a stored XSS vulnerability.
Poc:
<script>alert("1")</script>- Create a new document.
2. Upload the malicious file.
3. Once the file has been uploaded inspect the content of the page to see where it has been saved.
In this case the path will be “storage/2024/November/week3/495139_file.nonsenseext”
Access the file and see the Javascript code that get executed.
The vulnerability was resolved in version 6.2 by placing a .htaccess file in the storage directory to prevent access to any type of file.
If updating to this version is not possible the vulnerability can still be mitigated by adding the header X-Content-Type-Options: nosniff to every request.
