Absent Member.. Absent Member..
Absent Member..
688 views

Insecure file upload issue -- Urgent!!

Issue:

 

The web client allows a user to upload files to the server containing javascript code; some particular extensions in the uploaded file allow executing it directly in the client's browser.

 

Steps to reproduce:

 

1) Create a txt file named "test.txt" with the following content:

<script>alert("XSS");</script>

and save it locally.

2) Login into web client.

3) Upload this file in any of the existing HPSM ticket (IM, CM, etc.) under the Attachments tab.

4) Once uploaded, click on the "test.txt" link under the Attachments tab. An alert window pops up in the web browser.

 

This could lead to a security threat and should be avoided.

How to avoid uploading such kind of attachments? Any fixes or workarounds for this?

0 Likes
5 Replies
Absent Member.. Absent Member..
Absent Member..

The files uploaded with ".txt" extension gets opened up directly in the browser after clicking on the link, and that's why the contents inside the file are getting executed. If we can somehow prompt for Open/Save the file, like it happens for .doc and .xls attachments, then it should be ok?

Any help please.

0 Likes
Absent Member.
Absent Member.

Hi,
I tried the same but it is not executing and it just displaying the whole text in browser window.

regards,
____________________________________
Assign Kudo, if found post useful and mark it accepted if solves the issue.
0 Likes
Absent Member.. Absent Member..
Absent Member..

Hi Piku,

That's what I want, that the web client should not execute the contents of a text file, instead it should either display the contents or proppmt for Open/Save. But it's not working at my end.

Would you check the MIME type of "text" files in web.xml? It's set to "text/plain" in my case.

Any other thoughts? Web client version is 7.11.333

0 Likes
Fleet Admiral Fleet Admiral
Fleet Admiral

I'm not sure I understand the problem here.

 

Isn't every file you attach able to be executed.  If you attach a .zip file and select it, the system will download and open the .zip file, using whatever program is set as the user's default for handling that file extension.  If you attach a .doc or .docx file, the system will open the file using Word.  If you attach an image file (.jpg, .gif, .bmp) and double click on it, the system will display the image.  If you attach an .exe, the system will run that .exe when the user selects it. Any file you upload can be run on the user's system.

 

In the case of any file extension that can be opened by their internet browser, the file the user selects will open in that browser.  I don't think this is insecure, per se, since the user has to actively open that file for downloading. 

 

The only way to solve this would be to not allow attachments - which I don't think is a reasonable possibility in most environments.

0 Likes
Absent Member.
Absent Member.

As Jacob stated, the user's environment (browser settings and file associations) determines whether the attachment is opened or prompted for save.

 

One option is to modify the attachment's extension using JavaScript in a SYSATTACHMENTS trigger (e.g. test.txt becomes test.txt.xyz).

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.