Summary
Short summary of the problem.
The Merge functionality takes untrusted user input (file name) and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code in the context of the user.
Details
Give all details on the vulnerability.
The issue stems to the code starting at Line 24 in src/main/resources/static/js/merge.js. The file name is directly being input into InnerHTML with no sanitization on the file name, allowing a malicious user to be able to upload files with names containing HTML tags. As HTML tags can include JavaScript code, this can be used to execute JavaScript code in the context of the user.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
-
Create a file (or rename an existing file) to <img src=x onerror=alert(1)>.pdf
-
Navigate to the Merge PDF page and upload the file.
-
Observe that the JavaScript code is executed and an alert box is displayed with the number 1. This can also be used to display iframes and other HTML tags to change to look of the page.
-
This also affects https://stirlingpdf.io/merge-pdfs, where the payload <img src=x onerror=alert(document.cookie)>.pdf can be used to display the session cookie.
Impact
What kind of vulnerability is it? Who is impacted?
This is a self-injection style attack and relies on a user uploading the malicious file themselves and it impact only them, not other users. A user might be social engineered into running this to launch a phishing attack. Nevertheless, this breaks the expected security restrictions in place by the application.
Remediation
- Treat all user input as untrusted and conduct input sanitisation such as HTML output encoding.
- Don't use user input directly inside innerHTML
Hotanya Reporter
Summary
Short summary of the problem.
The Merge functionality takes untrusted user input (file name) and uses it directly in the creation of HTML pages allowing any unauthenticated to execute JavaScript code in the context of the user.
Details
Give all details on the vulnerability.
The issue stems to the code starting at
Line 24insrc/main/resources/static/js/merge.js. The file name is directly being input into InnerHTML with no sanitization on the file name, allowing a malicious user to be able to upload files with names containing HTML tags. As HTML tags can include JavaScript code, this can be used to execute JavaScript code in the context of the user.PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Create a file (or rename an existing file) to
<img src=x onerror=alert(1)>.pdfNavigate to the Merge PDF page and upload the file.
Observe that the JavaScript code is executed and an alert box is displayed with the number 1. This can also be used to display iframes and other HTML tags to change to look of the page.
This also affects https://stirlingpdf.io/merge-pdfs, where the payload
<img src=x onerror=alert(document.cookie)>.pdfcan be used to display the session cookie.Impact
What kind of vulnerability is it? Who is impacted?
This is a self-injection style attack and relies on a user uploading the malicious file themselves and it impact only them, not other users. A user might be social engineered into running this to launch a phishing attack. Nevertheless, this breaks the expected security restrictions in place by the application.
Remediation