Description

Hello, Looking at your project, I saw in the commits several anti-CSRF token addition but also a commit to not allow SVG file upload.

However a blacklist in general is a bad idea, for example php, php3, ... are blocked but it is always possible to send a .php7 or .phps file ... Among the extensions that are not blocked, there is also .html2, this extension allows you to send a file with arbitrary content including Javascript to obtain a stored XSS.

From OWASP : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Proof of Concept

1. On /adm_program/system/file_upload.php?module=documents_files&id=1 upload a file with .html2 extension and HTML/Javascript content
2. Go to /adm_my_files/documents_test/test.html2 (Instead of going through the manager, we use the direct URL in order not to download the file as it would normally be the case)
3. The file is opened and executed

Impact

In the version I'm using the anti-CSRF protection is not yet in place, but even with it, it would be possible to bypass it and perform malicious actions such as adding a new administrator.

Remediation

I did not propose a fix with this report but I recommend to change this blacklist system by a whitelist system