Starbucks: XXE at

ID H1:500515
Type hackerone
Reporter johnstone
Modified 2019-11-13T00:36:25


Description: Hi,guys,when i was visited the jobs of starbucks websites in China(, i found a features of uploaded user's photo.Thought the bypass the security restrictions of upload,i can upload html|xhtml|xml|config files etc.The uploaded html file can realize the danger of stored xss,and the uploaded xml file can be parsed by the server,Through tested, the server does not prohibit the use of doctypes, entities, and access to external dtd files.

Steps To Reproduce:

Upload and XXE vulnerability: 1. Log in to the user, enter the personal information settings page, click Upload Image 2. Intercept https access information through Burp suite 3. addd "html;" attributes in the parameter of "allow_file_type_list",or you can delete the params of "allow_file_type_list",then replace the filename's Suffix name ".jpg" to ".html" 4. Get the server's response information,visited the uploaded file URL. 5. uploaded a malicious xml file to the server,change the parameter of "_hxpage",like

>POST /retail/hxpublic_v6/hxdynamicpage6.aspx?_hxpage=tempfiles/temp_uploaded_d4e4c8c5-c4ab-4743-a6fd-c2d779a29734.xml&max_file_size_kb=1024&allow_file_type_list=xml;jpg;jpeg;png;bmp;

or change the "HX_PAGE_NAME" params of xml date by post

>POST /retail/hxpublic_v6/hxxmlservice6.aspx HTTP/1.1 HX_PAGE_NAME="tempfiles/temp_uploaded_71cc275c-64fc-40fc-a9cc-52cce5a02858.xml"

post the edited request,the starbucks's server will visit the attacker's server to get the DTD file.


The vulnerability can let the attacker upload the evil files in the server which will spoof the user,steal the user's cookie and informations.The XXE vulnerability disclose some server's informations ,denial of service attack,maybe will cause NTLMv2 hash attacks through XXE(the starbucks'server environment is iis, which could lead to attackers having full control over the server and the entire inner domain. By the way,if the report isn't considered eligible.please let me close this report myself.Thank you