File Upload lead to Stored XSS bypass csp in btcpayserver/btcpayserver
Feb 9th 2023
Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.
1-Login to your application and create a Store called “Test” make all the other details as default
- Navigate to “ Store Settings—>General” Tab
- Under the “Branding” Section there is a “ Choose File” To select a Logo for our Store.
- Select “Choose File” Option to Select an Image, Select any “.png” image you want.
- Intercept the Post-Request for “Choose File” Option using Burpsuite
- First delete the Content of uploaded “ png file “ then change the extension from “.png” to “.php” i.e( filename= "profile-picture.php") and in the Content add the below payload
BT /F1 24 Tf ET
endstream endobj xref 0 5 0000000000 65535 f 0000000015 00000 n 0000000062 00000 n 0000000117 00000 n 0000000424 00000 n trailer
<</Root 1 0 R /Size 5>> startxref 493 %%EOF
7. send the request and open the image you can see the xss # Impact XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account.
This should already have been reported, and fixed 3 days ago. And I can't reproduce since then. Please try to upload a file on https://mainnet.demo.btcpayserver.org/ and give me the link to it.
I tried to browse the link in the video show casing the CSP https://mainnet.demo.btcpayserver.org/LocalStorage/46233dda-aef4-43fb-b081-6f98ecd62b4f-cspxss.php but it is not found. I don't think I mispelled
You can try this url, I re-uploaded it
How the fuck is it possible? We pushed a fix with "script-src: ;" yestersday, but this doesn't stop this one...
Do you have a suggestion to prevent this? We can't really detect the type of file that is uploaded just reading from the content of the file. There will always have a way to avoid the detection...
You can prevent uploading files except in certain formats Or you can check the body of the file uploaded by the user
Can I get a CVE for this report?
When can i get my cve number
when I made a release, tomorrow probably
Isn't executable anymore, and pdf can't be uploaded anymore either.