Filename Restriction Bypass Leading To Persistent Cross-site Scripting Vulnerability 

**Describe the bug**
A html file can be uploaded with `.html.aaa` or `.htm.aaa` file extensions. When the file is opened, it executes the Javascript code inside it. On the other hand, file uploading with the `.html.` and `.htm.` file extensions are enough to execute Javascript for Linux servers. The `WinRemoveTailDots` plugin prevents uploading these file extensions using `rtrim` function for Windows server.

**To Reproduce**
1. Select arbitrary png file to upload.
2. Capture request with Burp and set content as `test<img/src/onerror=alert(document.cookie)>`
3. Set filename like `test.html.aaa` or `test.htm.aaa`
4. After forwarding the request, the file is successfully uploaded under the files directory.

**Screenshots**
![7](https://github.com/Studio-42/elFinder/assets/76125965/152f694a-038c-4b8f-8a11-7052c6b71177)
![8](https://github.com/Studio-42/elFinder/assets/76125965/b6ae9d3d-7b45-4486-894d-6b2e39fc5455)

**Tested on:**
 - OS: Windows & XAMPP server
 - OS: Debian & Apache2

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Filename Restriction Bypass Leading To Persistent Cross-site Scripting Vulnerability #3617

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Filename Restriction Bypass Leading To Persistent Cross-site Scripting Vulnerability #3617

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions