Unrestricted Upload of File with Dangerous Type in star7th/showdoc


Reported on

Jan 25th 2022


There is a filter to prevent upload php, HTML, svg filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php:

 if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php") 
            || strstr(strip_tags(strtolower($uploadFile['name'])), ".htm") 
            || strstr(strip_tags(strtolower($uploadFile['name'])), ".svg") 
            ) {
            return false;

However, I found a way to bypass this filter via uploading arbitrary files with those filetypes by using %0d character in the filename.

Proof of Concept

Create an malicious HTML file and named it phish.h%0dtml

<!DOCTYPE html>
    <meta charset="utf-8"/>
    <meta name="viewport" content="width=device-width, initial-scale=1"/>
    <title>Test Upload File</title>
    <h1>Test upload</h1>

Now after login, click the arrow on the top right corner -> go to File Library. (https://www.showdoc.com.cn/attachment/index)
In the File Library page, click Upload button and choose the phish.h%0dtml
After uploading successfully, click on the check button to open it in a new tab.

You will see that the HTML file is executed, this will happen the same with other filetypes.


This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the star7th/showdoc team within 24 hours. 4 months ago
KhanhCM modified the report
4 months ago
We have contacted a member of the star7th/showdoc team and are waiting to hear back 4 months ago
4 months ago


I tried to upload the file Phish I h%0dtml did succeed. But JS didn't execute when I downloaded it. It directly pops up the file download box and does not execute HTML or JS. Did I reproduce it wrong? https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=d4cdb8d37e715c9940329fbc17bbff0c

4 months ago


I've just retested on both Firefox and Chrome browsers and am still able to reproduce the vulnerability. When I go to the file's link, the JS is executed and the HTML is rendered.
You can view my link at https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=5f0f670e39c18ea5b49a392c86b17a9f

4 months ago


I have fixed the problem. You can verify it

We have sent a follow up to the star7th/showdoc team. We will try again in 7 days. 4 months ago
star7th validated this vulnerability 4 months ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the star7th/showdoc team. We will try again in 7 days. 4 months ago
We have sent a second fix follow up to the star7th/showdoc team. We will try again in 10 days. 3 months ago
We have sent a third and final fix follow up to the star7th/showdoc team. This report is now considered stale. 3 months ago
star7th confirmed that a fix has been merged on 7383d7 3 months ago
star7th has been awarded the fix bounty
to join this conversation