Lucene search
Hainguyen0207A335C013-DB75-4120-872C-42059C7100E8HistoryAug 31, 2023 - 5:57 p.m.
File Upload Vulnerability in Categories
2023-08-3117:57:22
hainguyen0207
www.huntr.dev
7
file upload
vulnerability
admin account
image file
script injection
external site redirection
content-type
burp suite
proof of concept
0.001 Low
EPSS
Percentile
39.3%
Description
I noticed, your website is very secure.
But you overlooked a flaw File Upload.
Proof of Concept
Detail:
1 .Login vs admin demo account and access admin page.
2 .Create a category titled “test” and upload a file image.
3 .Using burp suite edit Content-type: image/html and insert payload at the end of the content:
<script>window.location.href = 'https://www.youtube.com'</script>
4 .Go back to the home page, save image as “.html”
5 .Open the image file, detect navigate to the YouTube website
Video Poc
https://drive.google.com/file/d/1o05oFZXNDVLnpF9e86R9DAKXfYILHKR8/view?usp=sharing
Related
cve
cve
CVE-2023-5227
2023-09-30 01:15:39
nvd
nvd
CVE-2023-5227
2023-09-30 01:15:39
github
github
phpMyFAQ allows unrestricted file types in image field
2023-09-30 03:31:49
osv
osv
phpMyFAQ allows unrestricted file types in image field
2023-09-30 03:31:49
CVE-2023-5227
2023-09-30 01:15:39
prion
prion
Unrestricted file upload
2023-09-30 01:15:00
cvelist
cvelist
veracode
veracode
Unrestricted File Upload
2023-10-03 07:22:21
openvas
openvas
phpMyFAQ < 3.1.18 Multiple Vulnerabilities
2023-10-03 00:00:00