Halo File Upload Bypass Vulnerability Leading to Stored Cross-Site Scripting and Potential Remote Code Execution

A vulnerability in Halo, prior to version 2.20.13, allows attackers to bypass file type validation, enabling the upload of malicious files such as executables and HTML files. This could result in stored cross-site scripting attacks and, under certain conditions, remote code execution. The issue arises because the file validation process only checks file content and size, neglecting to verify file extensions, which allows polyglot files to evade security measures.

Impact

Exploitation of this vulnerability could lead to bypassing file type restrictions, allowing the upload of harmful files that could be used for stored cross-site scripting attacks. In some cases, this could also result in remote code execution, particularly when targeting admin users.

Reproduction

To reproduce this vulnerability, upload a polyglot file that combines BMP, HTML, and JAR formats, using a .html extension. The file will pass validation as an image/bmp, but can then be used to exploit stored XSS by referencing it in an iframe. This XSS can be leveraged to make arbitrary API calls with the victim's privileges. If the target is an admin user, it's possible to install a malicious plugin via the Halo API.

Remediation

Users are advised to upgrade to Halo version 2.20.13. If an immediate upgrade is not possible, consider restricting access to the file upload feature, implementing strict network controls on the upload directory, monitoring for suspicious file uploads and XSS attempts, or disabling file uploads altogether if not essential.