Skip to content

Finding Stored XSS in File Upload

Views: 309

FrontAccounting ERP is open source, web-based accounting software for small and medium enterprises. It supports double entry accounting providing both low level journal entry and user friendly, document based interface for everyday business activity with automatic GL postings generation.”

I have an opportunity to work with the developer of FrontAccounting to fix a Stored XSS issue due to unrestricted File upload. This was an educational experience to learn about the usability and security tradeoff in Open Source Project when fixing the issue. More details can be found in the bug tracker.

Issue Summary

In the attachment function, the user is allowed to attach a file to a particular existing transaction. However, I observed that there is no restriction on the type of files that are allowed to be uploaded.

I managed to upload a malicious SVG file that contains JavaScript. Since there was no validation on the file extension, the file was uploaded successfully.

When I opened up the attachment item, I can see that the malicious SVG file was uploaded.

Now, if another user have opened this attached file, then an alert box will appear.


  • The best method is to adopt a Secure by Default approach by restricting the file type to be uploaded. This approach will reduce the attack surfaces. For example, does the application require SVG file to be uploaded? Perhaps the filetype be restricted to PDF, PNG, JPEG, DOCX, etc.
  • If SVG is required, sanitize the uploaded SVG file:
  • If sanitization is not possible, please follow these approaches:
    • Load the SVG from image tags as this will prevent scripts from running.
    • Use “content-disposition: attachment” – this force the file to be downloaded.
    • Set Content Security Policy (CSP) to disallow inline JavaScript.
    • Combine (2) and (3) for double protection.


Published inBug BountyVulnerability InfoWalkthrough

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *