Arbitrarily File Upload Vulnerability #13
Description
Summary
The project uses formidable with keepExtensions set to true, and has insecure file upload checking mechanisms. It allows attackers to upload malicious files with arbitrary extensions, potentially creating attack vectors for stored Cross-Site Scripting (XSS), even Remote Code Execution (RCE) attacks.
Details
Code Analysis
- routes\bf\product.js
router.post("/addProductPic", function (req, res) {
console.log('============');
//Create form upload
var form = new formidable.IncomingForm();
//Set encoding
form.encoding = 'utf-8';
//Set file storage path
form.uploadDir = "public/upload/product";
//Preserve extensions
form.keepExtensions = true;
//Set single file size limit to 2MB
form.maxFieldsSize = 2 * 1024 * 1024;
//form.maxFields = 1000; Set total size for all files
form.parse(req, function (err, fields, files) {
for (let i = 1; i < 4; i++) {
var file = files['pic' + i];
if (!file || file.name == "") break;
let picName = uuid.v1() + path.extname(file.name);
fs.rename(file.path, 'public\\upload\\product\\' + picName, function (err) {
if (err) res.send({ "error": 403, "message": "Image saving exception!" });
res.send({ "picName": picName, "picAddr": '/upload/product/' + picName });
})
}In this implementation, keepExtensions is set to true by default, and the renaming mechanism is custom-implemented by the project developers. As shown, the HTTP response returns both picName and picAddr, but only if the file upload parameter names are specifically pic1, pic2, or pic3.
Test Procedure & Proof Of Concept
The Burp Suite screenshot shows that when the correct parameter names are used, the server returns the file information in the response.
Then access the returned URL in the browser, the XSS payload is successfully executed.
If arbitrary parameter names are used for file uploads, the files are still written to the server, but no URL information is returned in the response.
The screenshot confirms that the uploaded files exist on the target server, despite not receiving confirmation in the HTTP response when using incorrect parameter names.
Without a doubt, the XSS payload continues to execute successfully.
Impact
-
Code execution:
- Allows attackers to upload server-side script files such as PHP, JSP, etc.
- If the target server has corresponding interpreters, this may lead to remote code execution
-
Client-side attacks:
- Enables attackers to upload files with extensions like HTML, PDF containing malicious scripts
- Thus creating stored XSS attack vectors that can target client users