Headline
CVE-2023-37658: [Warning] Stored XSS in fast-poster v2.15.0 · Issue #13 · psoho/fast-poster
fast-poster v2.15.0 is vulnerable to Cross Site Scripting (XSS). File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post causes stored XSS
Vulnerability Product:fast-poster v2.15.0
Vulnerability version: v2.15.0
Vulnerability type: Stored XSS
Vulnerability Details:
Vulnerability location: /api/upload
File upload check binary of img, but without strictly check file suffix at /server/fast.py -> ApiUploadHandler.post,causes stored XSS
Firstly we preparing a image payload(contain javascript code last line)↓
when you access the payload in image format, it is a img
when you access the payload in html format, it will execute code
payload : https://github.com/Leeyangee/leeya_bug/blob/main/payload.jpg
build project or go to https://poster.prodapi.cn/#/, choose a random post such as
click “上传”
choose payload.jpg, before upload , turn on intercept (take burpsuite as an example)
when uploading , change payload.jpg
to payload.html
forward it , turn off intercept
After all, go to the path store/upload/20230706/168beb5822ad77d9.html
successfully proved stored xss
discoverd by leeya_bug