Linlinjava Litemall Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in Linlinjava Litemall versions through 1.8.0. The issue resides in the file upload function at the endpoint '/wx/storage/upload'. The vulnerability arises because the application fails to validate file extensions, allowing the upload of executable files such as '.html', '.htm', or '.pdf'. These files are served back to users without any sanitization, leading to the execution of malicious scripts.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the victim's browser. This could result in cookie theft, session hijacking, and account takeover. If an administrator's account is targeted, it could lead to privilege escalation. Additionally, this vulnerability could be used as a pivot point for further client-side attacks, such as phishing.

Reproduction

To reproduce this vulnerability, upload a file with a '.html' extension containing a script tag, such as '<script>alert("XSS")</script', to the '/wx/storage/upload' endpoint. After the file is uploaded, access it through the '/wx/storage/fetch/{key}' endpoint, replacing '{key}' with the key of the uploaded file. This will trigger the stored cross-site scripting vulnerability by executing the injected script in the browser.