Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS in the file upload functionality #32

Open
uzakov opened this issue Feb 12, 2020 · 9 comments
Open

XSS in the file upload functionality #32

uzakov opened this issue Feb 12, 2020 · 9 comments

Comments

@uzakov
Copy link

uzakov commented Feb 12, 2020

There is an XSS(Cross-site scripting) present in the file upload functionality, where someone can upload a file with malicious filename, which contains JavaScript code, which would results in XSS.
Example: https://github.com/manolo/gwtupload/blob/master/samples/src/main/java/gwtuploadsample/client/SingleUploadSample.java
image
How to reproduce:

  1. Deploy SingleUploadSample war file ( https://mvnrepository.com/artifact/com.googlecode.gwtupload/gwtupload-samples/1.0.3)
  2. Upload a file from a Linux system(due to Windows filename character restrictions), which contains JavaScript code. For example: a <img src=x onerror=alert("AppSec")>
@uzakov
Copy link
Author

uzakov commented Mar 2, 2020

xss demo

stumoss added a commit to stumoss/gwtupload that referenced this issue Mar 4, 2020
@stumoss
Fix issue manolo#32.
9164fd4 
Sanitise the upload file name using GWT's SafeHtml. Further issues were
found whereby the filename must also be safe to be encoded to XML but
that is a different bug and therefore not fixed by this commit.
stumoss added a commit to clearswift/gwtupload that referenced this issue Mar 4, 2020
@stumoss
Fix issue manolo#32.
eca56a0 
Sanitise the upload file name using GWT's SafeHtml. Further issues were
found whereby the filename must also be safe to be encoded to XML but
that is a different bug and therefore not fixed by this commit.
@sankosk
Copy link

sankosk commented Oct 2, 2020

that's a self-XSS, exploitability is almost null.

@uzakov
Copy link
Author

uzakov commented Oct 2, 2020

@sankosk Would have to disagree on the "exploitability is almost null". Many OS and applications do not show full filename, only showing first X characters. User would not see the JS code at the end of the filename in many scenarios.

@sankosk
Copy link

sankosk commented Oct 2, 2020

@uzakov I agree that's a bad practice and there are multiple scenarios where it can be useful.
However, official score you've set for the CVE is 6,4, which is extremely high and for sure not even close to reality. Proper scoring should be lower, rounding 3-4.

@csware csware mentioned this issue Feb 14, 2021
Open
@csware
Copy link
Contributor

csware commented Feb 14, 2021

cf. PR #36

@Roleek
Copy link

Roleek commented Mar 10, 2021

Pen testers identified this as an issue in our application and refused to accept reasoning that this is actually affects only the one who uploads the file. So here is my patch that fixes the issue. The idea of the patch is not to send file name back to client side to avoid JavaScript in file name to be executed as part of alert on client side.
0001-Fixes-that-uploading-a-file-with-malicious-filename-.zip

@akash-chourasia
Copy link

Hi,

Is there any chance that new version will be released with the Vulnerability fixes.

@SSK-code
Copy link

Is there any update on this issue.
I am facing the XSS due to file name.

@raghulvishnudhinesh
Copy link

Please let me know the workaround or the solution for this fix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@csware @sankosk @uzakov @Roleek @SSK-code @akash-chourasia @raghulvishnudhinesh