Filename Restriction Bypass Leading To Persistent Cross-site Scripting Vulnerability

[passtheticket]

Describe the bug
A html file can be uploaded with .html.aaa or .htm.aaa file extensions. When the file is opened, it executes the Javascript code inside it. On the other hand, file uploading with the .html. and .htm. file extensions are enough to execute Javascript for Linux servers. The WinRemoveTailDots plugin prevents uploading these file extensions using rtrim function for Windows server.

To Reproduce

1. Select arbitrary png file to upload.
2. Capture request with Burp and set content as test<img/src/onerror=alert(document.cookie)>
3. Set filename like test.html.aaa or test.htm.aaa
4. After forwarding the request, the file is successfully uploaded under the files directory.

Screenshots

Tested on:

• OS: Windows & XAMPP server
• OS: Debian & Apache2

[nao-pon]

@passtheticket Thank you for your report. I think this problem is caused by the fact that MIME detection of multiple extensions is not supported. I will fix this.