A stored cross-site scripting (XSS) vulnerability has been identified in UEditor version 1.4.3.3.
The vulnerability stems from the default configuration of config.json files within the ≤1.4.3.3 versions of UEditor, which permits the uploading of .swf files. Furthermore, for versions ≥1.4.2 and ≤1.4.3.3, UEditor's config files also allow the uploading of .xml files by default. Since both .swf and .xml files can execute scripts, this presents an opportunity for stored XSS attacks.
Many derivative editors and web applications that have integrated UEditor as a component have not modified the fileAllowFiles in the config file, rendering them vulnerable to this issue.
https://github.com/search?q=%22.pdf%22%2C+%22.txt%22%2C+%22.md%22%2C+%22.xml%22&type=code&p=1
Details
The vulnerability is present in the config.json file of UEditor ≤1.4.3.3, where the configuration allows the upload of .swf files by default. In addition, for versions ≥1.4.2 and ≤1.4.3.3, .xml files are also permitted for upload due to the default settings.
For example:
v1.3.6:/ueditor/php/upfile.phpv1.4.3.3:/ueditor/php/config.json
Similar POST requests can be directed to other versions' upload interfaces like /asp/controller.asp?action=uploadfile&encode=utf-8, /jsp/controller.jsp?action=uploadfile&encode=utf-8, and /net/controller.ashx?action=uploadfile&encode=utf-8.
Impact
The vulnerability affects all web applications that have integrated UEditor version 1.4.3.3 or below and have not modified the config.json or upfile program to restrict the file types that can be uploaded.
Hebing123
commented
3 months ago
Summary
A stored cross-site scripting (XSS) vulnerability has been identified in UEditor version 1.4.3.3. The vulnerability stems from the default configuration of config.json files within the ≤1.4.3.3 versions of UEditor, which permits the uploading of
.swffiles. Furthermore, for versions ≥1.4.2 and ≤1.4.3.3, UEditor's config files also allow the uploading of.xmlfiles by default. Since both.swfand.xmlfiles can execute scripts, this presents an opportunity for stored XSS attacks. Many derivative editors and web applications that have integrated UEditor as a component have not modified the fileAllowFiles in the config file, rendering them vulnerable to this issue. https://github.com/search?q=%22.pdf%22%2C+%22.txt%22%2C+%22.md%22%2C+%22.xml%22&type=code&p=1Details
The vulnerability is present in the config.json file of UEditor ≤1.4.3.3, where the configuration allows the upload of .swf files by default. In addition, for versions ≥1.4.2 and ≤1.4.3.3, .xml files are also permitted for upload due to the default settings. For example: v1.3.6:/ueditor/php/upfile.php
v1.4.3.3:/ueditor/php/config.json
Proof of Concept (POC)
POST Request to Upload XML File
Similar POST requests can be directed to other versions' upload interfaces like
/asp/controller.asp?action=uploadfile&encode=utf-8,/jsp/controller.jsp?action=uploadfile&encode=utf-8, and/net/controller.ashx?action=uploadfile&encode=utf-8.Impact
The vulnerability affects all web applications that have integrated UEditor version 1.4.3.3 or below and have not modified the
config.jsonor upfile program to restrict the file types that can be uploaded.