Progress MOVEit Transfer < 2020.1 Stored XSS (CVE-2020-28647)
Published on Dec. 17, 2020 by Mark Galea
During a recent web application test engagement one of the applications in scope was a MOVEit Transfer 2020 web application. While performing the assessment a Stored Cross-Site Scripting (XSS) vulnerability was identified. This blog post will go though the discovery and exploitation of such vulnerability to gain administrative access to the web application.
With this payload in hand we can test this out. We can upload a file and then intercept the upload request to the server using burp proxy and change the filename and forward the request to the server.
After going through the application and its functionality, a potential vector of attack could be a low level user trying to escalate privileges to get administrative access to the web application.
With this code the first attempt was to inject a <script> tag with the source of the file set to an externally hosted file. The code snippet below was base64 encoded and then copied in the snippet above.
Having the direct download link we can now set this up to be included in the payload. This code below will create a script tag and set the source URL to the direct download link and finally insert the script tag in the page head tag and onload execute the r() function.
Next step is to base64 encode the code snippet above:
Once the file is uploaded, click on the uploaded file to open the details and click on the Download button to trigger the XSS and the creation of the admin user. A low level user can create this setup and if the uploaded file is downloaded by an administrative user then the low level user can get the administrator to unwittingly create an admin account.
05/08/2020 - Issue Reported
08/08/2020 - Issue Verified and fix to be included in next major release