Headline
CVE-2022-0950: Unrestricted Upload of File with Dangerous Type in showdoc
Unrestricted Upload of File with Dangerous Type in GitHub repository star7th/showdoc prior to 2.10.4.
Description
This is a bypass of report https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/.
The upload feature allows the files with the extension .*html which leads to Stored XSS.
Proof of Concept
Step 1: Login into showdoc.com.cn.
Step 2: Go to https://www.showdoc.com.cn/attachment/index
Step 3: In the File Library page, click the Upload button and choose file below. You can use any file extension with regex “.([a-zA-Z0-9])*html”
<script>alert(origin)</script>
- Step 4: Click on the check button to open that file in a new tab.
POC URL:
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=4422094937428007ab74c30faea73ef3
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=d40db01d06885a0ff0e2b48818d5ad31
https://www.showdoc.com.cn/server/api/attachment/visitFile?sign=08059f8a61fa5838255f9c3b848ad347
Impact
Stored XSS.