Parse Server Stored Cross-Site Scripting Vulnerability via Content-Type MIME Parameter

A stored cross-site scripting vulnerability has been identified in Parse Server, an open-source backend framework that runs on Node.js. This issue affects versions 9.0.0 prior to 9.6.0-alpha.15 and 8.6.41 prior to 8.6.50. The vulnerability arises when an attacker is permitted to upload files and can manipulate the `Content-Type` header by adding a MIME parameter, such as `;charset=utf-8`. This manipulation bypasses the file extension filter, allowing active content to be uploaded and served under the application's domain. Additionally, certain XML-based file extensions that can execute scripts in web browsers are not included in the default blocklist, further exacerbating the issue.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user, potentially leading to the compromise of session tokens, user credentials, or other sensitive data stored in the browser's local storage.

Reproduction

To reproduce this vulnerability, upload a file through a Parse Server application that allows file uploads. Append a MIME parameter to the `Content-Type` header, such as `;charset=utf-8`, to bypass the file extension validation. Once the file is uploaded, it will be served under the application's domain, executing any active content, such as scripts, in the user's browser.

Remediation

Users can update to Parse Server versions 9.6.0-alpha.15 or 8.6.50, where this vulnerability has been patched. After updating, it is recommended to configure the `fileUpload.fileExtensions` option to specify an allowlist of file extensions that are necessary for the application, rather than relying on the default blocklist.