Listen to this Post
The vulnerability in Bagisto’s TinyMCE image uploader stems from improper file type validation. While the frontend interface and initial checks block `.html` file extensions, the backend processing logic contains a flaw. When a file is uploaded, the system performs content sniffing on the file’s data. If an attacker uploads a file with a `.png` extension that contains raw HTML or JavaScript code, the backend detector misclassifies the content type. This misclassification triggers an automatic file extension conversion, changing the stored file from `.png` to .html. Consequently, the malicious file is saved on the server with an `.html` extension. When an authenticated admin user or editor accesses the URL to this uploaded “image” via their browser, the server delivers it with a `text/html` MIME type. The browser, recognizing the content as HTML, renders and executes any embedded JavaScript code within the context of the victim’s session, leading to a stored XSS attack.
Platform: Bagisto
Version: 2.3.7
Vulnerability : Stored XSS
Severity: Critical
date: 2024-XX-XX
Prediction: Patch expected Q3 2024
What Undercode Say:
curl -X POST -F "[email protected]" http://bagisto-host/admin/upload file malicious.png cat malicious.png
<!-- malicious.png content --> <script>alert(document.cookie)</script>
How Exploit:
Upload malicious HTML as PNG.
Backend converts PNG to HTML.
Victim views file, script executes.
Protection from this CVE
Disable content sniffing.
Implement strict file type verification.
Use CSP headers.
Impact:
Session hijacking
Unauthorized admin actions
Privilege escalation
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
