php file upload and xss (security bug)

[hasanali586q]

1. It's possible to upload php file by changing extension of image with php code payload. While uploading file you can change extension of uploaded file to php and you can bypass mime type check by concatenating php code binarily to image file or to meta data of image. More on video attached.

2. XSS - while renaming file, you can paste xss payload and it will be stored on the server and run on userside.

[NModern]

Are you going to fix these critical bugs?

[streamtw]

Hi @hasanali586q , thanks for reporting these issues.

Issue number 1 has already been handled and cannot be reproduces in v2.5.0.

Can you provide step to reproduce issue number 2?

[streamtw]

Part 1 of this issue is the same as #1113 , fixed in v2.5.0. I also made some enhancement in v2.6.2, so it will not be reproduced anymore.

I have received the video for part 2 of this issue. I will release a new version to fix it.

[streamtw]

XSS attack happens only when previewing images. Renaming any file to names like: "><img src=x onerror=console.log(1)>.jpg will execute the script in onerror before v2.6.2. It is fixed in v2.6.3 by make the file name not executable.

I think it is much more safe to prevent saving XSS script by filtering file names. But it also occurs to me that symbols like ", <, > may sometimes make sense in a file name. I am not quite sure if filtering these symbol will make it more secure, or cause more trouble for developers and users.

So currently I do not filter these special symbols just yet. But I am open to discussion about whether it should be implemented or not.

If you have any opinion, please comment here.