File Upload Restriction Bypass leading to Stored XSS Vulnerability in star7th/showdoc
Mar 13th 2022
File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html (e.g. aahtml, bbhtml)
Proof of Concept
Step 1) Access https://www.showdoc.com.cn/attachment/index
Step 2) Prepare a file with content below and named as xss.vbhtm to upload
Step 3) Click check
XSS will be triggered
An attacker could leverage this to perform social engineering and thereby stealing victim's cookie etc.
commented a year ago
@maintainer, please adopt whitelist instead of blacklist, otherwise a lot of file extensions could be abused to cause stored XSS.
star7th validated this vulnerability a year ago
James Yeung has been awarded the disclosure bounty
The fix bounty is now up for grabs
to join this conversation