GWTUpload XSS in the File Upload Functionality
1. Advisory Information
Title: GWTUpload XSS in the file upload functionality
Advisory ID: CORE-2020-0003
Advisory URL: http://www.coresecurity.com/advisories/
Date published: 2020-03-04
Date of last update: 2020-03-04
Vendors contacted: Manuel Carrasco Moñino (https://github.com/manolo/gwtupload)
Release mode: Forced release
2. Vulnerability Information
Class: Failure to Preserve Web Page Structure ('Cross-site Scripting') | CWE-79
Impact: Code execution allow privilege escalation
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2020-9447
3. Vulnerability Description
GWTUpload is a library for uploading files to web servers that features real-time updates on file size, bytes transferred, and other relevant information during upload. It was developed by Manuel Carrasco Moñino and is available on GitHub, the software development site used primarily for hosting source code and providing version control, issue tracking, and documentation capabilities.
4. Vulnerable Packages
- potentially older versions of gwtupload
5. Vendor Information, Solutions, and Workarounds
No version has been released to fix the reported issue.
Patches have been developed which will sanitize the upload file:
This vulnerability was discovered and researched by Alikhan Uzakov from the Application Security Team of Clearswift, A HelpSystems Company.
The publication of this advisory was coordinated by Pablo Zurro from the CoreLabs Advisories Team.
7. Technical Description / Proof of Concept Code
This proof of concept demonstrates the vulnerability.
This vulnerability can be reproduced as follows:
- Deploy the SingleUploadSample war file
8. Report Timeline
2019-11-12 – Contacted library creator on the via email. Unfortunately, no response was received.
2020-02-12 – Opened a GitHub issue.
2020-02-28 – Requested and received CVE from Mitre.
2020-03-04 – Sent fixes to GitHub project with patches.
2020-03-05 – Library creator informed about the advisory publication.
202-03-16 – Advisory published.
10. About CoreLabs
CoreLabs, the research center of Core Security, A HelpSystems Company is charged with researching and understanding security trends as well as anticipating the future requirements of information security technologies. CoreLabs studies cybersecurity trends, focusing on problem formalization, identification of vulnerabilities, novel solutions, and prototypes for new technologies. The team is comprised of seasoned researchers who regularly discover and discloses vulnerabilities, informing product owners in order to ensure a fix can be released efficiently, and that customers are informed as soon as possible. CoreLabs regularly publishes security advisories, technical papers, project information, and shared software tools for public use at https://www.coresecurity.com/core-labs.
11. About Core Security, A HelpSystems Company
Core Security, a HelpSystems Company, provides organizations with critical, actionable insight about who, how, and what is vulnerable in their IT environment. With our layered security approach and robust threat-aware, identity & access, network security, and vulnerability management solutions, security teams can efficiently manage security risks across the enterprise. Learn more at www.coresecurity.com
The contents of this advisory are copyright (c) 2020 Core Security and (c) 2020 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/