Reflected Cross-Site Scripting (XSS) in Upload Error Messages #338
Labels
bug
Something isn't working
good issue
Well described issue
low impact
In context of security issue
security
Milestone
Affected versions: potentially >= 1.5.2
Hey @ciur,
unfortunately, I've again identified an XSS issue. However, the likelihood for exploitation is very low, since it is a reflected self-xss, which cannot be exploited by a remote attacker.
Description
Although the application successfully blocks uploaded filenames with unsafe characters, the displayed error message does not properly sanitize the reflected filename. Therefore, if a user uploads a filename with an XSS payload, the file gets successfully blocked and is not uploaded into the application, but the XSS filename is reflected in the displayed error message and instantly executed by the browser.
Example filenames to trigger XSS:
Note: Filenames with special chars are usually only allowed in Unix/Linux operating systems.
Recommendation
Escape all untrusted user input before storing it into the database or reflecting it in the web application. If user input is always properly escaped, there might be even no need for blocking specific characters.
The text was updated successfully, but these errors were encountered: