Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Arbitrary file upload in the backend could cause a stored XSS vulnerability. #1522

Closed
1979139113 opened this issue Nov 9, 2021 · 1 comment
Labels
kind/bug Categorizes issue or PR as related to a bug.

Comments

@1979139113
Copy link

What is version of Halo has the issue?

1.4.13

What database are you using?

Other

What is your deployment method?

Fat Jar

Your site address.

No response

What happened?

At the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.

the file upload function points.

image

upload HTML file, show success.

image

access the HTML file, you can see that it is parsed by the browser.

image

If you upload malicious XSS code, you will get the user's token, like this

Payload

<script>
	document.write(localStorage.getItem("halo__Access-Token"));
	document.write("</br></br>")
	document.write(localStorage.getItem("halo__USER"));
</script>

image

image


Analyzing the code, it can be seen that all suffixes can be uploaded, and there is no restriction on the suffix name of the file

image

Its recommended to only allow the parameter extension to be png.jpeg.jpg.gif.bmp or other image suffixes

图片

Relevant log output

No response

Additional information

No response

@1979139113 1979139113 added the kind/bug Categorizes issue or PR as related to a bug. label Nov 9, 2021
@ruibaby
Copy link
Member

ruibaby commented Nov 9, 2021

你好,目前此项目仅为单管理员设计,也就意味着目前只有管理员能操作后台。所以目前即便存在这样的问题,暂时我们也不会将优先级提高。

另外,您是否有阅读 https://github.com/halo-dev/halo/blob/master/SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug.
Projects
None yet
Development

No branches or pull requests

2 participants