Headline
CVE-2023-49444: GitHub - woshinibaba222/DoraCMS-File-Upload-Vulnerability
An arbitrary file upload vulnerability in DoraCMS v2.1.8 allow attackers to execute arbitrary code via uploading a crafted HTML or image file to the user avatar.
DoraCMS File Upload Vulnerability****Vulnerability Description
DoraCMS User Management allows the upload of avatars for any user, enabling the alteration of uploaded avatars to HTML files that can execute XSS statements. Additionally, it permits the insertion of malicious links into uploaded images, deceiving users into clicking and downloading malicious programs.
Affected Versions
DoraCMS version 2.1.8
Source Code Download Link
https://github.com/doramart/DoraCMS
Reproduction Steps:
Access the user management interface and randomly edit the details of a user.
Click on the avatar in the image and choose a picture to upload.
Modify the request packet as shown in the image. Change the file extension of the image to HTML in the request packet as shown in the picture.
Append XSS statements at the end; here, I will make the following selection. #Popup cookie
<script>alert(document.cookie)</script>
Continuously send. You can see that the upload was successful.
Click on the update button as shown in the picture.
Let’s go back and review the request history in Burp. You can see the path to the logo. Now, concatenate the address and access it. http://127.0.0.1:8080/static/upload/images/20231123/1700705529363061526.html
XSS popup successful.
Attackers can also insert links they want system users to click into the image.
Upload successful.
Access http://127.0.0.1:8080/static/upload/images/20231123/1700707364548976301.html
This way, attackers can leverage the trust of users in the system to download malicious programs or perform other attacks.