Unrestricted Upload of File with Dangerous Type in fisharebest/webtrees

Valid

Reported on

Oct 9th 2021

Description

The program allows to upload files with dangerous file types in the media upload section, leading to XSS and other exploits like shell uploads, HTML injection leading to Social Engineering attacks, etc ..., I have demonstrated HTML file upload leading to XSS here.

Proof of Concept

move to link upload an HTML file with and view it. XSS will be triggered

Impact

XSS, shell uploads, HTML injection

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago

Ajmal Aboobacker modified the report

a year ago

Greg Roach

commented a year ago

Maintainer

You wrote:

if shell are uploaded

Can you give an example of this? I can see the issue with HTML files that contain javascript. But files are just sent to the browser - not executed.

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

For html pages there is need of user interaction to trigger the payload. I will update here about the shell upload after sometime.

Greg Roach

commented a year ago

Maintainer

OK - can you provide a POC for the shell upload, or update the description to remove it. Thanks

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

I think shell upload is not possible I will remove it from the description. and I was not able to recreate the XSS hope you have fixed it but still HTML injection is possible.

Ajmal Aboobacker modified the report

a year ago

Greg Roach validated this vulnerability a year ago

Ajmal Aboobacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

Greg Roach marked this as fixed with commit fc9041 a year ago

Greg Roach has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented a year ago

Admin

@maintainer - the researcher has requested a CVE to be created for this report. Are you happy to go ahead with this?

to join this conversation

We have contacted a member of the fisharebest/webtrees team and are waiting to hear back a year ago

Ajmal Aboobacker modified the report

a year ago

Greg Roach

commented a year ago

Maintainer

You wrote:

if shell are uploaded

Can you give an example of this? I can see the issue with HTML files that contain javascript. But files are just sent to the browser - not executed.

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

For html pages there is need of user interaction to trigger the payload. I will update here about the shell upload after sometime.

Greg Roach

commented a year ago

Maintainer

OK - can you provide a POC for the shell upload, or update the description to remove it. Thanks

Ajmal Aboobacker Ajmal

commented a year ago

Researcher

I think shell upload is not possible I will remove it from the description. and I was not able to recreate the XSS hope you have fixed it but still HTML injection is possible.

Ajmal Aboobacker modified the report

a year ago

Greg Roach validated this vulnerability a year ago

Ajmal Aboobacker has been awarded the disclosure bounty

The fix bounty is now up for grabs

Greg Roach marked this as fixed with commit fc9041 a year ago

Greg Roach has been awarded the fix bounty

This vulnerability will not receive a CVE

Jamie Slome

commented a year ago

Admin

@maintainer - the researcher has requested a CVE to be created for this report. Are you happy to go ahead with this?

to join this conversation