I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the xml as html , so resulting on a xss vulnerability.
Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm…? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images.
1). While logged on unifi controller go to https://localhost:8443/manage/site/urrhpg78/maps
2). In image upload the poc.svg
3). After click in “Upload File”.
4). After uploaded the file open image.
5). See the xss alert.
Direct link will be something like
I found the same bug in some other Applications you can have a look at Jasminder Pal Singh blog. This bug is also affecting demo.ubnt.com
A simple fix for this vulnerability is blocking SVG files upload, in case this isn’t possible a good method is interpret the SVG file, don’t allowing the upload if it contains HTML or invalid tags.
I’m writing about a stored XSS which I found on Unifi controller v4.8.12
I was checking unifi website for some possible bugs but was not able to find anything good there then i started playing with unifi controller and some Ubiquiti device which i got from ubnt to test.
I started looking for xss on controller but nothing found!! 🙁
I decided to search further, the devices DB. Then i plugged in Unifi AP AC Lite device, I found that the controller don’t filter the devices name for HTML special characters.
Step 1: Download Unifi v4.8.12 Controller (any OS should work)
Step 2: Open UniFi Controller then it will take some second to start.
Step 3: Now setup your server by providing admin name, password etc.
Step 4: Plug your Unifi AP AC Lite device (any Unifi equipment should work).
Step 5: Change your device name to xss payload in my case i’m using "><img src=x onerror=prompt(1)>
Step 6: Go to Statistics and boom xss will prompt.
Step 7: $$$ Profit!!!
I’ve attached screen shot of the same.
There isn’t any filter applied to the user input, so this exploit could be used widely.
There isn’t any direct attack that could be used in this exploit, because the attacker need to be admin, otherwise he would be unable to change the devices names. However the attacker (a admin) could use this to exploit on other admin.
One possible use is to steal other admin password, once the password is hashed in the database, he could use the password captured in the XSS attack (maybe using prompt or fake login page) and try some others services, if the victim re-utilizes passwords (what you shouldn’t) he can exploit other services.
Proof of Concept :
I want to share my another finding on Yahoo xss filter bypass which I have reported to them in Dec 2014.
While researching and working on yahoo bug bounties i’ve found some cool xss.
This is tricky one
During research of dev.flurry.com I found that company name is vuln. to xss attack.But unfortunately there is a filter.
You can’t use <,>,;,', you will get error like that New company name is invalid.
But I found a way to bypass this we can’t use <,>,' in creating or editing. but in add company we can do that just go to https://dev.flurry.com/viewProfile.do and click on advanced profile where you can write your payload.
But there is also filter the xss will not trigger. so I tried too many things including eval() but it’s not working after that i’m just checking is there any option where this payload will execute. I found!!
Go to Applications > Alerts
Then xss will trigger.
Thanks for reading.
20.Jan2014-Triaged the bug.
21.Jul2014-Vulnerability fixed:D(That was pretty fast!)