Lucene search
NhiephonACC23996-BD57-448F-9EB4-05A8A046C2DCHistoryMar 13, 2022 - 9:14 a.m.
Unrestricted Upload of File with Dangerous Type
2022-03-1309:14:49
nhiephon
www.huntr.dev
14
0.001 Low
EPSS
Percentile
21.6%
Description
This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/.
The upload feature allows the files with the extension .*html which leads to Stored XSS.
Proof of Concept
- Step 1: Login into showdoc.com.cn.
- Step 2: Go to https://www.showdoc.com.cn/attachment/index
- Step 3: In the File Library page, click the Upload button and choose file below. You can use any file extension with regex “.([a-zA-Z0-9])*html”
<script>alert(origin)</script>
- Step 4: Click on the check button to open that file in a new tab.
POC URL:
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=4422094937428007ab74c30faea73ef3
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=d40db01d06885a0ff0e2b48818d5ad31
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=08059f8a61fa5838255f9c3b848ad347
Impact
Stored XSS.
Related
osv
osv
Cross-site Scripting in ShowDoc
2022-03-16 00:00:48
CVE-2022-0950
2022-03-15 09:15:07
prion
prion
Unrestricted file upload
2022-03-15 09:15:00
cve
cve
CVE-2022-0950
2022-03-15 09:15:07
github
github
Cross-site Scripting in ShowDoc
2022-03-16 00:00:48
cvelist
cvelist
nvd
nvd
CVE-2022-0950
2022-03-15 09:15:07