By default it’s possible to upload
So we can put XSS there.
You can also upload any kind of file with html content inside because we control
When we change header to
Content-Type: text/html browser will render file as
html even if file has different type.
Proof of Concept:
Login as regular user then submit any accepted file type with XSS payload inside, for example:
XSS will be visible:
- 05-12-2014: Discovered
- 05-12-2014: Vendor notified
- 29-12-2014: Version 1.3.0 released, issue resolved