Reflected Cross-Site Scripting (XSS) in Upload Error Messages #338
Assignees
Labels
bug
Something isn't working
good issue
Well described issue
low impact
In context of security issue
security
Milestone
Comments
|
@l4rm4nd, thanks for detailed report, I highly appreciate it! |
ciur
added
good issue
This was referenced Mar 20, 2021
|
Here is the fix. |
ciur
added a commit
to papermerge/papermerge-core
that referenced
this issue
Mar 20, 2021
|
Fix is now part of version 2.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Affected versions: potentially >= 1.5.2
Hey @ciur,
unfortunately, I've again identified an XSS issue. However, the likelihood for exploitation is very low, since it is a reflected self-xss, which cannot be exploited by a remote attacker.
Description
Although the application successfully blocks uploaded filenames with unsafe characters, the displayed error message does not properly sanitize the reflected filename. Therefore, if a user uploads a filename with an XSS payload, the file gets successfully blocked and is not uploaded into the application, but the XSS filename is reflected in the displayed error message and instantly executed by the browser.
Example filenames to trigger XSS:
Note: Filenames with special chars are usually only allowed in Unix/Linux operating systems.
Recommendation
Escape all untrusted user input before storing it into the database or reflecting it in the web application. If user input is always properly escaped, there might be even no need for blocking specific characters.
The text was updated successfully, but these errors were encountered: