Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FileUpload XSS vulnerability #1439

Closed
whaleshogun opened this issue May 19, 2016 · 10 comments
Closed

FileUpload XSS vulnerability #1439

whaleshogun opened this issue May 19, 2016 · 10 comments
Assignees
Labels
5.3.18 6.0.30 🐞 defect Bug...Something isn't working 🔒 security Security related issue or enhancement
Milestone

Comments

@whaleshogun
Copy link

whaleshogun commented May 19, 2016

Primefaces version 5.1.141 (ELITE Build)

<p:fileUpload fileUploadListener="#{calendarMappingController.handleFileUpload}" mode="advanced" label="#{msg['calendarmapping.importfromexcel']}"
                                allowTypes="/(\.|\/)(xls|xlsx)$/"
                                update="calendarMappings" 
                            />

Uploading a file named <img src=x onerror=alert('XSS')>.xlsx (under Linux, since Windows won't allow file names with special characters).

Result:

html content in file name is not escaped.

image

@cnsgithub
Copy link
Contributor

cnsgithub commented May 20, 2016

Note: This XSS vulnerability is not dependant on any OS since there is always the possibility to tamper with POST data and use specially crafted file names albeit those characters would be invalid in Windows file names...

@tandraschko
Copy link
Member

Does it still occur in 6.0?

@whaleshogun
Copy link
Author

The problem still occurs in PrimeFaces 6.0.RC3

@viaram
Copy link

viaram commented Nov 7, 2016

Are there any news regarding this issue?

@orange-buffalo
Copy link
Contributor

The problem is still reproducible on 'FileUpload - Single' demo page, running PrimeFaces-6.0.12 on Mojarra-2.2.8.

@melloware
Copy link
Member

I think I can fix this. I will submit a PR.

tandraschko added a commit that referenced this issue Apr 3, 2017
Fix #1439: File Upload XSS Vulnerability
@tandraschko tandraschko self-assigned this Apr 3, 2017
@tandraschko tandraschko added the 🐞 defect Bug...Something isn't working label Apr 3, 2017
@tandraschko tandraschko added this to the 6.1.RC3 milestone Apr 3, 2017
@tandraschko
Copy link
Member

Thanks!

@GedMarc
Copy link
Contributor

GedMarc commented Oct 22, 2018

Can't seem to find an update -

Is the upload using JQuery File Upload? Is Prime faces affected by the exploit?
https://securityaffairs.co/wordpress/77245/hacking/jquery-file-upload-plugin-0day.html

https://github.com/blueimp/jQuery-File-Upload/blob/master/SECURITY.md

@cnsgithub
Copy link
Contributor

cnsgithub commented Oct 23, 2018

@GedMarc I cannot see how the exploit is related to this issue. See this one also: #3269

Probably there are issues with jQuery-File-Upload's client validations, however this does not automatically imply that PrimeFaces is vulnerable to malware infection because that highly depends on the server-side implementation, i.e. the upload handler storing the uploaded files somewhere at the server. Of course, then it further depends on the webserver configuration and the stored upload location, if e.g. malicious PHP files may get executed or not...

@cnsgithub
Copy link
Contributor

cnsgithub commented Oct 23, 2018

I looked at the PoC: it's just trying to exploit the PHP server-side sample implementation on misconfigured Apache httpd installations, quite boring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
5.3.18 6.0.30 🐞 defect Bug...Something isn't working 🔒 security Security related issue or enhancement
Projects
None yet
Development

No branches or pull requests

8 participants