Vulnerability found in file upload (Stored-XXS possible)

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
1 year ago
nopCommerce version: 4.50.3 (possibly also in other versions)
Description: Vulnerability found in file upload due to client-side ability to determine content-type.
The extension that are allowed is defined, but it can be overwritten in the POST.

We analyze the valid POST request to: POST /Admin/Picture/AsyncUpload
We change the Content-Type from image/gif to image/svg and the content of the file contains the XSS code.

The validation of the response is:
  
Now that you have an SVG file on the server, an already described vulnerability can be exploited as demonstrated here:https://infosecwriteups.com/stored-xss-using-svg-file-2e3608248fae
From the forum you can link to the file and run a Stored-XSS.
"http://localhost/images/thumbs/test.svg" rel="nofollow,ugc">http://localhost/images/thumbs/test.svg

We advise to have the content-type determined server-side to fix the vulnerability.
Please let us know if you require additional information.
1
1 year ago
We've already fixed it for public store. But we've decided to leave it for admin area because it doesn't make any sense for a store owner to "hack" its own store.
Interested in the dedicated Premium support services provided by core developers? Please visit https://www.nopcommerce.com/nopcommerce-premium-support-services

Regards,
Andrei Mazulnitsyn
nopCommerce team
2
1 year ago
Thanks for applying the fix as described in https://github.com/nopSolutions/nopCommerce/issues/6378

It makes sense to secure it by default ;-)
0
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.