Headline
CVE-2021-43659: Arbitrary file upload in the backend could cause a stored XSS vulnerability. · Issue #1522 · halo-dev/halo
In halo 1.4.14, the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
What is version of Halo has the issue?
1.4.13
What database are you using?
Other
What is your deployment method?
Fat Jar
Your site address.
No response
What happened?
At the function point of uploading the avatar, any file can be uploaded, such as uploading an HTML file, which will cause a stored XSS vulnerability.
the file upload function points.
upload HTML file, show success.
access the HTML file, you can see that it is parsed by the browser.
If you upload malicious XSS code, you will get the user’s token, like this
Payload
<script> document.write(localStorage.getItem(“halo__Access-Token”)); document.write(“</br></br>”) document.write(localStorage.getItem(“halo__USER”)); </script>
Analyzing the code, it can be seen that all suffixes can be uploaded, and there is no restriction on the suffix name of the file
Its recommended to only allow the parameter extension to be png.jpeg.jpg.gif.bmp or other image suffixes
Relevant log output
No response
Additional information
No response