Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in the file upload functionality #32

Open
uzakov opened this issue Feb 12, 2020 · 1 comment
Open

XSS in the file upload functionality #32

uzakov opened this issue Feb 12, 2020 · 1 comment

Comments

@uzakov
Copy link

@uzakov uzakov commented Feb 12, 2020

There is an XSS(Cross-site scripting) present in the file upload functionality, where someone can upload a file with malicious filename, which contains JavaScript code, which would results in XSS.
Example: https://github.com/manolo/gwtupload/blob/master/samples/src/main/java/gwtuploadsample/client/SingleUploadSample.java
image
How to reproduce:

  1. Deploy SingleUploadSample war file ( https://mvnrepository.com/artifact/com.googlecode.gwtupload/gwtupload-samples/1.0.3)
  2. Upload a file from a Linux system(due to Windows filename character restrictions), which contains JavaScript code. For example: a <img src=x onerror=alert("AppSec")>
@uzakov

This comment has been minimized.

Copy link
Author

@uzakov uzakov commented Mar 2, 2020

xss demo

stumoss added a commit to stumoss/gwtupload that referenced this issue Mar 4, 2020
Sanitise the upload file name using GWT's SafeHtml. Further issues were
found whereby the filename must also be safe to be encoded to XML but
that is a different bug and therefore not fixed by this commit.
stumoss added a commit to clearswift/gwtupload that referenced this issue Mar 4, 2020
Sanitise the upload file name using GWT's SafeHtml. Further issues were
found whereby the filename must also be safe to be encoded to XML but
that is a different bug and therefore not fixed by this commit.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.