Photo by Florian Olivo on Unsplash
CVE-2024-34241: A Step-by-Step Discovery Guide
How I Found Several Stored XSS Bugs in Rocket LMS Version 1.9 in Under 10 Minutes
It was late at night, and I was starting to burn out from hunting bugs in a few bug bounty programs I am active on. I still had that hacker itch I wanted to scratch, so I decided to look at a few web applications to see if I could find any easy "0days" to add a few more web-based CVEs to my resume.
My requirements are quite simple. To warm up, I usually look for PHP applications that are actively maintained, have a decent sales volume or user base, and are ideally open-source so I can access the source code. Additionally, I prefer applications with a low number of previous CVEs reported on older versions. I decided to check out the PHP applications sold on https://codecanyon.net/, a marketplace for developers selling various applications, plugins, and more.
I decided to search for popular PHP scripts because higher sales numbers usually indicate a decent user base. I found that Rocket LMS, a learning management system, had over 2,700 sales and 5-star reviews. I felt this would be an ideal target.
I decided to use the "instructor" user account, assuming it would offer additional functionality to explore. When I landed on the dashboard, I started testing the input fields with some simple payloads, and the application seemed to sanitize the user input very well. Eventually, I navigated to the Courses section, which allows me to create and edit new courses for my students. What intrigued me about this functionality was the use of a WYSIWYG editor in the Description section. Further research confirmed that the WYSIWYG editor implemented by RocketSoft is Summernote version 0.8.18.
Given the history of various WYSIWYG editors suffering from consistent reflected cross-site scripting and stored cross-site scripting vulnerabilities, I felt this was a good opportunity to see what I could find. I decided to input a simple XSS payload and saved the record, but the payload did not execute and appeared to be properly sanitized.
Next, I saved the course record with random text in the Description section and intercepted the POST request using BurpSuite. I then modified the description parameter with my XSS payload and forwarded the request:
<details/open/ontoggle=prompt(origin)>
I then navigated back to the course record and saw that the application had stored and executed our malicious payload. This immediately prompted the origin, confirming that we had DOM access. I realized that this simple "bypass" indicated a systemic issue throughout the entire application where the Summernote WYSIWYG editor is used.
I sat there and asked myself if this had already been reported. A quick Google search showed it hadn't been. I guess it was my lucky day; I found a new CVE in 10 minutes.
I will end this write-up as I always do. You don't need to be a super hacker to find CVEs or bugs on bug bounty platforms. As long as you consistently practice exploiting different vulnerabilities, you'll train yourself to see things from a hacker's perspective. In my opinion, passion for hacking and thinking like a hacker are the key traits that separate the good from the great in this industry.
Until next time my fellow nerds,
Sergio Medeiros