Avatar upload leads to stored XSS

[KKC73]

Hi,
I would like to report a security vulnerability in FormCMS.

An authenticated attacker can upload a malicious .html file through the avatar upload endpoint (/api/profile/avatar). After uploading, the server stores the file at a publicly accessible location (/files/avatar/[random-id].html). The public URL of the uploaded file can be retrieved via a separate endpoint, allowing the attacker to obtain and share the exact link.

This file is accessible without authentication or access control. If a higher-privileged user, such as a Super Admin, visits the link—either directly or through social engineering—the embedded JavaScript executes in the context of their session. This allows the attacker to perform unauthorized API actions on behalf of the victim, such as full CRUD operations on users, roles, and other sensitive application-specific data.

I am happy to provide a proof-of-concept or further details if needed.

Edit: Affected version is v0.5.5

[formcms]

thank you so much for let me know the issue.

I will check if the file is a image file in the upload avatar function.
Admin can also upload file, but I think since they are admins, formCMS would not enforce file limitation, what do you think?

[KKC73]

I will check if the file is a image file in the upload avatar function. Admin can also upload file, but I think since they are admins, formCMS would not enforce file limitation, what do you think?

Do you mean file upload for other functions or the avatar function?

1. Regarding the avatar function, if I'm not mistaken, since you also have a user portal where normal users can sign in with GitHub or register and then upload a malicious HTML file, I think you should fix the file upload functionality for avatars, nonetheless.

• User portal login

• User portal registration

2. Regarding other upload functions, you can

• Implement some limitations to dangerous files and contents (this is a good read in term of security: https://learn.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads?view=aspnetcore-9.0#security-considerations).
• Consider a way to safely render the file when you need to display the files on the web app side, so that for example you can execute Javascript but can't do anything on other component of the site or send request with the current user cookie. I'm think some kind of sandbox (https://www.w3schools.com/tags/att_iframe_sandbox.asp) maybe.

But I'm not sure yet since I haven't looked at them because I don't know how to get Teacher, Course, and etc. like in your demo web app yet. How about I take a look at them first then I can contact you via email or open an issue here of potential attack vector if there is any?

Edit: When you check the file upload for avatar, you should check:

• File extension
• Content-type
• Mime type

You should add some security headers so that you can prevent common attacks such as CSP, X-XSS-Protection, and etc. but they can affect your web app functions tho, use what you can. Check this: https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html.

[formcms]

for uploadAvatar

I check extension first

public static bool IsImage(this IFormFile inputFile)
    {
        var ext = Path.GetExtension(inputFile.FileName).ToLower();
        return ext is ".jpg" or ".jpeg" or ".png" or ".bmp";
    }

then I tried to compress image, if user trid to upload big image,(e.g. 10M), tried limit the width

using SixLabors.ImageSharp;
using SixLabors.ImageSharp.Formats.Jpeg;
using SixLabors.ImageSharp.Processing;

namespace FormCMS.Infrastructure.ImageUtil;

public class ImageSharpResizer(ResizeOptions opts) : IResizer
{
    public IFormFile CompressImage(IFormFile inputFile)
    {
        using var inputStream = inputFile.OpenReadStream();
        using var image = Image.Load(inputStream);
        
        if (image.Width > opts.MaxWidth)
        {
            var scaleFactor = (float)opts.MaxWidth / image.Width;
            var newHeight = (int)(image.Height * scaleFactor);
            image.Mutate(x => x.Resize(opts.MaxWidth, newHeight));
        }
        
        var outputStream = new MemoryStream(); // No 'using' to keep it open for FormFile
        image.Save(outputStream, new JpegEncoder { Quality = opts.Quality });
        outputStream.Position = 0;

        var outputFileName = Path.ChangeExtension(inputFile.FileName, ".jpg");
        return new FormFile(outputStream, 0, outputStream.Length, "file", outputFileName)
        {
            Headers = inputFile.Headers,
            ContentType = "image/jpeg"
        };
    }
}

I tested if user upload a wrong format image, backend throws an exception.

Will try to enforce more strict limitation for content admin.

Thank you so much for your help

[KKC73]

Happy to help!

for uploadAvatar

Seems ok. I will help check when you release a new version.

Will try to enforce more strict limitation for content admin.

If admins don't need to upload html and js file in your web app logic, you should add restriction for them.

If nothing else, should I close this issue now?

[formcms]

Hope you can leave this issue, (closed, but not deleted), so people knows FormCms has considered XSS issue.

Went though the doc you provided, here is my plan in next release.

1. give user option to persist file to other directory(defalt is wwwroot/files)
2. limit upload size(configurable)
3. within upload size but still larger than throttle level(Configurable), save as temp file (prevent use to much memory)
4. give user option to set temp file location, user can set temp file not in main drive, so event temp partition full, the web app should still work.
5. limit upload file type, check signature of each type. user can add more type and signature.
6. only render image and video. for other type only allow download.

Thanks again,

below is some code I found

https://learn.microsoft.com/en-us/aspnet/core/mvc/models/file-uploads?view=aspnetcore-9.0#validationprivate

static readonly  Dictionary<string, List<byte[]>> _fileSignature = new Dictionary<string, List<byte[]>>
{
{ ".gif", new List<byte[]> { new byte[] { 0x47, 0x49, 0x46, 0x38 } } },
{ ".png", new List<byte[]> { new byte[] { 0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A } } },
{ ".jpeg", new List<byte[]>
{
new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 },
new byte[] { 0xFF, 0xD8, 0xFF, 0xE2 },
new byte[] { 0xFF, 0xD8, 0xFF, 0xE3 },
}
},
{ ".jpg", new List<byte[]>
{
new byte[] { 0xFF, 0xD8, 0xFF, 0xE0 },
new byte[] { 0xFF, 0xD8, 0xFF, 0xE1 },
new byte[] { 0xFF, 0xD8, 0xFF, 0xE8 },
}
},
{ ".zip", new List<byte[]>
{
new byte[] { 0x50, 0x4B, 0x03, 0x04 },
new byte[] { 0x50, 0x4B, 0x4C, 0x49, 0x54, 0x45 },
new byte[] { 0x50, 0x4B, 0x53, 0x70, 0x58 },
new byte[] { 0x50, 0x4B, 0x05, 0x06 },
new byte[] { 0x50, 0x4B, 0x07, 0x08 },
new byte[] { 0x57, 0x69, 0x6E, 0x5A, 0x69, 0x70 },
}
},
};

[KKC73]

5. limit upload file type, check signature of each type. user can add more type and signature.

Are you planning to only accept .gif, .png, .jpeg, .jpg, and .zip? If so, I think this is good.

[KKC73]

Hey, @formcms. Could you reply this comment with the release version that contains the fixed code? I would like to specify it when I close this issue.

[formcms]

sure, will do, I am working on this, I want to support large upload, so I am working on chunked upload, it's complicated than I have thought. I hope I can release a version next week.

within upload size but still larger than throttle level(Configurable), save as temp file (prevent use to much memory)

[KKC73]

Noted! You can alert me when you release a fixed version. Thank u

[formcms]

Hi KKC73,

0.5.7 addressed this security issue
https://fluent-cms-admin.azurewebsites.net/doc/index.html#asset-security-concern

please review.

Thanks

[KKC73]

Hi, @formcms.

I will install the new version to test when I have the time. If there is no more issue, I will close the issue with the fixed version.

Thank you for your cooperation in fixing this issue.

[KKC73]

Fixed at v0.5.7.