-
Notifications
You must be signed in to change notification settings - Fork 747
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FileUpload XSS vulnerability #1439
Comments
|
Note: This XSS vulnerability is not dependant on any OS since there is always the possibility to tamper with POST data and use specially crafted file names albeit those characters would be invalid in Windows file names... |
|
Does it still occur in 6.0? |
|
The problem still occurs in PrimeFaces 6.0.RC3 |
|
Are there any news regarding this issue? |
|
The problem is still reproducible on 'FileUpload - Single' demo page, running PrimeFaces-6.0.12 on Mojarra-2.2.8. |
|
I think I can fix this. I will submit a PR. |
Fix #1439: File Upload XSS Vulnerability
|
Thanks! |
|
Can't seem to find an update - Is the upload using JQuery File Upload? Is Prime faces affected by the exploit? https://github.com/blueimp/jQuery-File-Upload/blob/master/SECURITY.md |
|
@GedMarc I cannot see how the exploit is related to this issue. See this one also: #3269 Probably there are issues with jQuery-File-Upload's client validations, however this does not automatically imply that PrimeFaces is vulnerable to malware infection because that highly depends on the server-side implementation, i.e. the upload handler storing the uploaded files somewhere at the server. Of course, then it further depends on the webserver configuration and the stored upload location, if e.g. malicious PHP files may get executed or not... |
|
I looked at the PoC: it's just trying to exploit the PHP server-side sample implementation on misconfigured Apache httpd installations, quite boring. |
Primefaces version 5.1.141 (ELITE Build)
Uploading a file named
<img src=x onerror=alert('XSS')>.xlsx(under Linux, since Windows won't allow file names with special characters).Result:
html content in file name is not escaped.
The text was updated successfully, but these errors were encountered: