Unrestricted Upload of file with dangerous type lead to destroying the company's reputation. in kiwitcms/kiwi

Valid

Reported on

Nov 23rd 2022

Description

In upload function i found the function accept a lot of file type and this is very dangerous because may be malicious user upload html file contain any information like go to another site or write message destroying the company's reputation like this site has been hacked by hacker

Proof of Concept

// PoC.js
https://1drv.ms/v/s!AjTDEH9wRz1ugRBX4iqo_Hl0_-C0?e=MEVvSv

Impact

Upload html file contain message of any user and the real risk the file could be accessed by any unauthenticated user and will see the file normally as normal page in site

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a year ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a year ago
Ahmed
a year ago

Researcher

This is right PoC video link

https://1drv.ms/v/s!AjTDEH9wRz1ugRIymfwHWdu3R9QI?e=R1k91s

Ahmed
a year ago

Researcher

@admin Any update?

Ahmed
a year ago

Researcher

@admin Any updates?

Pavlos
a year ago

Admin

Answered in other reports

Alexander Todorov modified the Severity from High (8.8) to Low (3) 8 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Alexander Todorov validated this vulnerability 8 months ago

Marking as a valid report, will be announced via our own channel soon: https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj

Lovering severity b/c execution of embedded JavaScript, e.g. from an SVG file has been dealt with in a previous security advisory, which makes exploiting this vulnerability much harder.

From my understanding an unpatched version of Kiwi TCMS can still be used to spread around malicious files, e.g. executables but now it's easier to affect the computer of another user, instead of the Kiwi TCMS installation itself.

Will update when a fix is available.

Ahmed Rabeaa Mosaa has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ahmed
8 months ago

Researcher

Can you assignee a CVE

Alexander Todorov marked this as fixed in 12.2 with commit 551dff 8 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on May 8th 2023
Alexander Todorov published this vulnerability 7 months ago
to join this conversation