Description

Stored XSS via uploading files in .xsd, .asa and .aspx (already mentioned in previous report) formats.

Proof of Concept

For .xsd

filename="poc.xsd"

<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert(1)</a:script>

For .asa and .aspx

filename="poc.asa"

<script>alert(1)</script>

Steps to Reproduce

1.Login into showdoc.com.cn.
2.Navigate to file library (https://www.showdoc.com.cn/attachment/index)
3.In the File Library page, click the Upload button and choose the poc.xsd file.
4.After uploading the file, click on the check button to open that file in a new tab.

XSS will trigger when the attachment is opened in a new tab.

POC URLs:

.xsd - https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=2f29dd262be2e974572a4387fdb10317
.asa - https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=2a9ce4675debdcfb6b324f52c33c3a72
.aspx - https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=72e7ab226e5df530e3c7d13165f25273

Impact

An attacker can perform social engineering on users by redirecting them from a real website to a fake one. a hacker can steal their cookies etc.