994 views
# halo <= 1.6.1 file upload details ## Acknowledgment **Credit to [@beet1e](https://github.com/b33t1e) from Shanghai Jiao Tong University and [@chenlibo147](chenlibo147@mail.sdu.edu.cn) , [@houqinsheng](houqinsheng@mail.sdu.edu.cn), 202037049@mail.sdu.edu.cn from Shandong University.** ## Vulnerability description Follow the official documentation to start forem with docker installation. ![](https://notes.sjtu.edu.cn/uploads/upload_8ca1b7d03a3716212c98cb71d6eed4cc.png) Then, we log into the administrator background: ![](https://notes.sjtu.edu.cn/uploads/upload_87d28ec3e5874af85c858eb63e31ddb0.png) Here we can use the import function to import articles in md format. This function corresponds to the API - /api/admin/backups/markdown/import, this API is capable of uploading malicious files. We use following file to upload: ``` <script>alert("XSS")</script> ``` ![](https://notes.sjtu.edu.cn/uploads/upload_a486f6dda45fb325b61ba46c1d65b8e8.png) The file will be uploaded successfully: ![](https://notes.sjtu.edu.cn/uploads/upload_3a08dc0863bbd778594e2db54ce9ed1c.png) When someone read this article, the JavaScript code will be executed. ![](https://notes.sjtu.edu.cn/uploads/upload_a4b70ad3074f07a04c73fd696d9f542f.png) ![](https://notes.sjtu.edu.cn/uploads/upload_41cb02ac482c0497e8ea0e43a48c5adf.png) So, the API - /api/admin/backups/markdown/import has a malicious file upload vulnerability.