Glia CMS official Github: https://github.com/GilaCMS/gila
Gila CMS official website: https://gilacms.com
Latest version: 2.1.0 (https://github.com/GilaCMS/gila/tree/123e4f2258059185510994232461aafc921553de), as to 03/06/2021.
Vulnerable code at uploadAction function in src/core/controllers/FMController.php:
for ($i=0; $i<count($tmp_file); $i++) {
if (!FileManager::allowedFileType($name[$i])) {
die("Error: File type {$name[$i]} is not accepted!");
}
if (!move_uploaded_file($tmp_file[$i], SITE_PATH.$path.'/'.$name[$i])) {
die("Error: could not upload file!");
}
}
The filename $name is not properly filtered. Attacker with file upload access can upload a file with a disallowed extension (.php, etc.) that contains xss payload, for example "><svg onload=alert(1)>".py to trigger the target code block. This results in a reflected XSS. Sample demo in the following gif (gila_reflected_xss.gif).
The vulnerable code block is at dirAction() function in src/core/controllers/FMController.php:
public function dirAction()
{
\\ some codes here
$folderinfo['files'] = $filelist;
$folderinfo['path'] = $this->relativePath;
echo json_encode($folderinfo);
}
In short, the above function returns the files information of the requested folder in a json format:
{files: [{'name': 'file1', 'size':1, 'mtime': 'time', 'mode': mode, 'ext': '.txt'}, {file2, ....}, ...], 'path': 'log'}
When uploading a file, the attacker can control the filename variable. The attacker can upload a file with valid file extension but a malicious filename, such as "><svg onload=alert(1)>".txt to the directory that he has access to, for example './log/'. Later when any other user access the webpage to browse the files in this folder through fm/dir?path=log endpoint, the stored XSS content is triggered. This can be shown in the following (gila_stored_xss.gif).
