Because of lacking of sanitizer of input data at all of upload functions in webroot/dzz/attach/Uploader.class.php and return wrong response content-type of output data in webroot/dzz/attach/controller.php, The Authenticated user (not an admin) can injection malicious code into fileName and craft a specific html file, then user click on that file the script will be executed.
To Reproduce
Steps to reproduce the behavior:
Go to any textarea form and use upload function
Inject malicious script into fileName like <img src=x onerror=alert(1);
Craft an specific html file to send request to server in webclient, when user click on that file malicious script will be executed
#Author: KietNA from 1nv1cta team, HPT CyberSecurity Center
#Email: kietnguyenanh9320@gmail.com
#Submit date: 28/08/2021
#Target: http://www.dzzoffice.com/
#Version: 2.02.1 (https://github.com/zyx0814/dzzoffice/releases/tag/2.02.1)
Description:
Because of lacking of sanitizer of input data at all of upload functions in
webroot/dzz/attach/Uploader.class.phpand return wrong response content-type of output data inwebroot/dzz/attach/controller.php, The Authenticated user (not an admin) can injection malicious code intofileNameand craft a specific html file, then user click on that file the script will be executed.To Reproduce
Steps to reproduce the behavior:
<img src=x onerror=alert(1);Request
###IMAGE
Response
The text was updated successfully, but these errors were encountered: