File Upload Restriction Bypass leading to Stored XSS Vulnerability in star7th/showdoc

Valid

Reported on

Mar 13th 2022


Description

File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html (e.g. aahtml, bbhtml)

Proof of Concept

Step 1) Access https://www.showdoc.com.cn/attachment/index

Step 2) Prepare a file with content below and named as xss.vbhtm to upload

<script>alert(1)</script>

Step 3) Click check

XSS will be triggered image

Impact

An attacker could leverage this to perform social engineering and thereby stealing victim's cookie etc.

We are processing your report and will contact the star7th/showdoc team within 24 hours. 2 years ago
James Yeung modified the report
2 years ago
James Yeung modified the report
2 years ago
James Yeung
2 years ago

Researcher


@maintainer, please adopt whitelist instead of blacklist, otherwise a lot of file extensions could be abused to cause stored XSS.

James Yeung modified the report
2 years ago
James Yeung modified the report
2 years ago
James Yeung modified the report
2 years ago
James Yeung modified the report
2 years ago
star7th validated this vulnerability 2 years ago
scriptidiot has been awarded the disclosure bounty
The fix bounty is now up for grabs
star7th marked this as fixed in 2.10.4 with commit 237ac6 2 years ago
star7th has been awarded the fix bounty
to join this conversation