CVE-2023-0747: File Upload Type Validation Error lead to Stored XSS in btcpayserver

Description

Stored cross-site scripting (also known as second-order or persistent XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

STEPS_TO_REPRODUCE

1. Login to your application and create a Store called “Test” make all the other details as default
2. Navigate to “ Store Settings—>General” Tab 
3. Under the “Branding” Section there is a “ Choose File” To select a Logo for our Store.
4. Select “Choose File” Option to Select an Image, Select any “.png” image you want.
5. Intercept the Post-Request for “Choose File” Option using Burpsuite (MITM-Proxy tool)
6. Send the above intercepted request to “ Repeater Tab” of Burpsuite.
7. First delete the Content of uploaded “ png file “ then change the extension from “.png” to “.php” i.e( **filename= "profile-picture.php") and in the Content add the below payload**
8. Payload: <script>alert(document.domain)</script>
9. Send this Request after changing the above configuration and “Follow the redirection” in the Burpsuite.
10. Then Navigate to the Browser and then Reload the Website , you will see that the image is uploaded, but it will not load automatically. So right click on the “store” profile section and choose option “ **open image in new tab**” thus it loads the image in the new tab with our **XSS-Payload POP_UP.**


#NOTE: In order to get how the above steps are done please watch the VIDEO-POC in ascending order for Example

- POC-1
- POC-2
- POC-3

Proof of Concept

VIDEO-POC
https://drive.google.com/drive/folders/1VkUcXf1ImfK_fR2y6qhWIlgfZYj8r296?usp=sharing

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account.