WuKongOpenSource WukongCRM Cross-Site Scripting Vulnerability via File Upload

A cross-site scripting (XSS) vulnerability has been identified in WuKongOpenSource WukongCRM version 9.0. This issue arises from an arbitrary file upload feature that fails to properly validate file types and content. Specifically, the vulnerability is located in the AdminSysConfigController.java file, where uploaded files can be manipulated to include malicious JavaScript. When these files are accessed, the injected scripts are executed in the context of the user's browser, leading to persistent XSS.

Impact

Exploitation of this vulnerability allows for the upload of files that execute arbitrary JavaScript in the browsers of users who access them. This could result in session hijacking, phishing attacks, defacement of web content, or distribution of malware by redirecting users to malicious sites.

Reproduction

To reproduce this vulnerability, upload a file through the application's file upload feature, using the 'test.html' filename. The file should be crafted to include a script tag with JavaScript code, such as an alert. Once uploaded, the file will execute the embedded JavaScript when accessed, demonstrating the cross-site scripting vulnerability.

Remediation

It is recommended to implement strict file extension whitelisting, allowing only safe file types such as .jpg, .png, and .gif, while rejecting potentially dangerous extensions like .svg, .html, and .php.