About
A free and open source Laravel-based PIM software to help businesses organize, manage, and enrich their product data centrally.
GitHub repository: https://github.com/unopim/unopim
-Stored XSS : Cookie Hijacking
Techonogy stack
-Database: Mysql (root:password)
-Framework: Laravel
-Postman API Documentation: https://www.postman.com/unopim/unopim-apis/collection/kzy03uh/official-unopim-apis?ctx=info
-CSRF session token
johndoe@example.com:JohnDoe@123
RewriteCond %{HTTP:Authorization} .
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
The above rule checks for Authorization which is a session token.
<FilesMatch ".(jpg|jpeg|gif|png|svg|swf|webp)$">
<IfModule mod_headers.c>
Header set Cache-Control "max-age=604800, public"
</IfModule>
</FilesMatch>
The above rule checks for specific media file extensions.
-.htaccess allows SVG to be uploaded. However, when uploads SVG file with or without XSS embedded, the image doesn't upload to the web server.
-.htaccess allows GIF to be uploaded. However, when uploads GIF file with or without XSS embedded, the image doesn't upload to the web server.
-No issues with how server side processes file extensions.
In conclusion: Only JPEG and PNG file extensions work in the Account page
-Even though Account page only allows admin to upload images using png and jpeg. This does not limited to Create User function. The vulnerable allows attackers to perform XSS in SVG file extension which can be used to stealing cookies.