8000 php file upload and xss (security bug) · Issue #1122 · UniSharp/laravel-filemanager · GitHub
[go: up one dir, main page]
Skip to content

php file upload and xss (security bug) #1122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
hasanali586q opened this issue Mar 10, 2022 · 4 comments
Closed

php file upload and xss (security bug) #1122

hasanali586q opened this issue Mar 10, 2022 · 4 comments
Labels
security Exploits, attacks, dangerous leaks.

Comments

@hasanali586q
Copy link
hasanali586q commented Mar 10, 2022
edited
Loading

  1. It's possible to upload php file by changing extension of image with php code payload. While uploading file you can change extension of uploaded file to php and you can bypass mime type check by concatenating php code binarily to image file or to meta data of image.
    More on video attached.

  2. XSS - while renaming file, you can paste xss payload and it will be stored on the server and run on userside.
@NModern
Copy link
Contributor
NModern commented Mar 15, 2022

Are you going to fix these critical bugs?

Veyselxan added a commit to Veyselxan/laravel-filemanager that referenced this issue Mar 16, 2022
@Veyselxan
php file upload bug fix UniSharp#1122
c4f35b3
Veyselxan added a commit to Veyselxan/laravel-filemanager that referenced this issue Mar 16, 2022
@Veyselxan
php file upload bug fix UniSharp#1122
8074415
Veyselxan added a commit to Veyselxan/laravel-filemanager that referenced this issue Mar 16, 2022
@Veyselxan
php file upload bug fix 2 UniSharp#1122
98473bd
@streamtw streamtw added the security Exploits, attacks, dangerous leaks. label Mar 16, 2022
@streamtw
Copy link
Member

Hi @hasanali586q , thanks for reporting these issues.

Issue number 1 has already been handled and cannot be reproduces in v2.5.0.

Can you provide step to reproduce issue number 2?

@streamtw streamtw added the WIP Working in progress. label Jul 29, 2022
@streamtw
Copy link
Member

Part 1 of this issue is the same as #1113 , fixed in v2.5.0. I also made some enhancement in v2.6.2, so it will not be reproduced anymore.

I have received the video for part 2 of this issue. I will release a new version to fix it.

@streamtw
Copy link
Member

XSS attack happens only when previewing images. Renaming any file to names like: "><img src=x onerror=console.log(1)>.jpg will execute the script in onerror before v2.6.2. It is fixed in v2.6.3 by make the file name not executable.

I think it is much more safe to prevent saving XSS script by filtering file names. But it also occurs to me that symbols like ", <, > may sometimes make sense in a file name. I am not quite sure if filtering these symbol will make it more secure, or cause more trouble for developers and users.

So currently I do not filter these special symbols just yet. But I am open to discussion about whether it should be implemented or not.

If you have any opinion, please comment here.

@streamtw streamtw removed the WIP Working in progress. label Nov 22, 2023
@rizkiheryandi rizkiheryandi mentioned this issue May 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security Exploits, attacks, dangerous leaks.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@streamtw @NModern @hasanali586q
0