DoraCMS User Management allows the upload of avatars for any user, enabling the alteration of uploaded avatars to HTML files that can execute XSS statements. Additionally, it permits the insertion of malicious links into uploaded images, deceiving users into clicking and downloading malicious programs.
DoraCMS version 2.1.8
https://github.com/doramart/DoraCMS
Access the user management interface and randomly edit the details of a user.
Click on the avatar in the image and choose a picture to upload.
Modify the request packet as shown in the image. Change the file extension of the image to HTML in the request packet as shown in the picture.
Append XSS statements at the end; here, I will make the following selection. #Popup cookie
<script>alert(document.cookie)</script>
Continuously send. You can see that the upload was successful.
Click on the update button as shown in the picture.
Let's go back and review the request history in Burp. You can see the path to the logo. Now, concatenate the address and access it. http://127.0.0.1:8080/static/upload/images/20231123/1700705529363061526.html
XSS popup successful.
Attackers can also insert links they want system users to click into the image.
Upload successful.
Access http://127.0.0.1:8080/static/upload/images/20231123/1700707364548976301.html
This way, attackers can leverage the trust of users in the system to download malicious programs or perform other attacks.