CVE-2023-25365 / XSS via file upload bypass

CUPC4K3
2 min readFeb 8, 2024

This vulnerability on version 3.2.0

Was discovered by cupc4k3 and Gabriel V. Mendes.

Whats is OctoberCMS?

October CMS is a self-hosted award-winning platform based on the Laravel PHP Framework.

Analyzing File Uploads:

Initially we tried to upload but it was not possible, the application has a filter and analyzing the source code source code we realized that it only allows the following extensions to be uploaded:

As per the gif below we tried to upload a .html file and were unsuccessful with the message:

The file type used is blocked for security reasons

Performing the Bypass:

We found that it is possible to upload without the file name, just with the extension that the application accepts.

We tried unsuccessfully to upload a .php file =(

But by intercepting the request and changing the .html to an extension that the system accepts .mp3 we were able to succeed.

We insert a simple html file that triggers the script when accessing the page.

<!DOCTYPE html>
<html>
<body>
<script>
alert('XSS');
</script>
</body>
</html>

After we succeed in uploading the .mp3 file, it is hidden in the system, so we upload a “mask.jpg” image, and when we click on “click here” we see the file path.

With that we just change it to our hidden .mp3 file which doesn’t validate the file type and runs our script. =)

--

--

CUPC4K3

Offensive Security | Cyber Security | Security Researcher | Red Team | Pentest