PDF XSS in admin/upload.php

[jinnywc]

Version：3.4.0
Payload: app.alert('xss');
Insert xss malicious code in pdf with pdf editor

Access the file upload function of GetSimpleCMS, upload a malicious pdf, and get the uploaded file path in the response package.

Using google browser to access the path of the malicious pdf file upload will trigger xss, which must be accessed by google browser.

[tablatronix]

Is this a google chrome pdf reader exploit?

[bigin]

What's wrong with this? JS used in PDF as a part of form fill-out on web sites. You'll need to upload the PDF into the admin site, which would be a security issue.
You can change status to WontFix for it.

[tablatronix]

It seems to be a browser exploit right? How can we mitigate that?

[bigin]

There is no need for it. I don't think it's necessary to do anything, an alert message isn't XSS yet.

[jinnywc]

Specify the content-type of the response, so that users can download and parse the PDF type file locally when browsing

[jinnywc]

Inserting the specified code can also obtain sensitive information such as cookies

[bigin]

Well, and how do you get the PDF on the server if you don't have administrator privileges?

[jinnywc]

After we create users, we upload malicious PDF files. The XSS can be triggered by recording the path of the PDF file and enticing the administrator or other users to access it

[tablatronix]

content type is a server config, not much we can do about it in GS

After we create users seems to be a bigger concern.. lol

[bigin]

hehe really dumb

[jinnywc]

It can be implemented by code(example：https://www.helplib.com/Web_Development/article_4821)

[jinnywc]

lol？I also play lol .game

[bigin]

You'll need to upload the PDF on the server, which would be a security issue. It's not an exploit.

[tablatronix]

Yeah but implementing a entire downloader file service and wrapping all downloads in code... Would probably add 3 more vectors , path traversal, injection etc.. meh.

We have white/black lists for uploads, and people can secure their server though the proper means for downloads.

[tablatronix]

I guess we could suggest or provide something for htaccess.. but not everyone runs apache

[bigin]

Yeah, custom upload restrictions, may be the best option at the moment. It's a single-admin cms (by default). And if a malicious user would get access to the admin, then we would probably have bigger problems than just XSS.

[tablatronix]

I will leave the discussion label on here for now, if anyone had ideas let me know. If not I will wontfix it