Description

File Upload Restriction Bypass leading to Stored XSS Vulnerability, by leveraging file extension vbhtm, vbhtml, soap, even any extension ends with html (e.g. aahtml, bbhtml)

Proof of Concept

Step 1) Access https://www.showdoc.com.cn/attachment/index

Step 2) Prepare a file with content below and named as xss.vbhtm to upload

<script>alert(1)</script>

Step 3) Click check

XSS will be triggered

Impact

An attacker could leverage this to perform social engineering and thereby stealing victim’s cookie etc.