Vulnerability: The html file can be uploaded where the avatar is uploaded, and its content not be filtered, which resulting in stored XSS in Ruoyi cms

Vulnerability disclosure

Vulnerability title: The html file can be uploaded where the avatar is uploaded, and its content not be filtered, which resulting in stored XSS in Ruoyi cms

Product: https://github.com/yangzongzhuan/RuoYi

Affected Versions: v4.7.3(the lastest vesion)

Discovery time: 2022.5.16

Found by: solarpeng502

Exploit sence: The System allows multiple users to log in. If a user is granted user management rights, he can insert a malicious xss payload on user management page, so that all users with this permission can access and trigger an xss attack

Analysis report:

1. If you are not Chinese,please change the language into the English through Browser translation plugin such as Google.

2. After deployment, enter the background management page
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080036_f4f4f37a_9511494.png "屏幕截图.png")

3. Click the avatar into the personal center
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080057_0b15bf34_9511494.png "屏幕截图.png")

4. Click the "modify avatar",and upload a normal image,the click OK button
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080127_be36e483_9511494.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080147_59bce25c_9511494.png "屏幕截图.png")

5. Intercept the request package with a packet capture tool such as burp, change the file suffix to html, and change the content with xss payload such as "<script>alert(1)</script>,then pass the request,and the response shows "{"msg":"操作成功","code":0}",which means upload success
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080206_6879f9de_9511494.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080225_8fedc747_9511494.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080240_59212ebb_9511494.png "屏幕截图.png")

6. Refresh the index page,start burp,and then click the avatar again,the burp will intercept the xss html that we upload
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080256_877a08a4_9511494.png "屏幕截图.png")
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080310_2b283ba5_9511494.png "屏幕截图.png")

7. Copy the html url,and then send to the other users using Ruoyi cms,if they click,the xss attack is triggered
![输入图片说明](https://images.gitee.com/uploads/images/2022/0516/080330_9df6bbcc_9511494.png "屏幕截图.png")

POC:

POST /system/user/profile/updateAvatar HTTP/1.1
Host: mysite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------21781164112778176297556867959
Content-Length: 249
Origin: http://mysite.com/
Connection: close
Referer: http://mysite.com/system/user/profile/avatar
Cookie: Your cookies

-----------------------------21781164112778176297556867959
Content-Disposition: form-data; name="avatarfile"; filename="blob.html"
Content-Type: image/png

Fixes: The backend should verify the file suffix, and do not allow html file upload;or check the content in Html file that filter xss payloads.

GVP 若依/RuoYi

Content Risk Flag

Comments (1)

GVP若依/RuoYi

Content Risk Flag