New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS (via SVG file upload) in CuppaCMS #3

Closed
security-provensec opened this Issue Aug 16, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@security-provensec
Copy link

security-provensec commented Aug 16, 2018

Affected software: CuppaCMS

Type of vulnerability: XSS (via SVG file upload)

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.

Proof of concept:

Step1: Login to the cuppa cms.
Step2: In the table manager section, add a new file and there is an upload option choose files and upload a malicious SVG file.
URL: http://localhost/cuppa_cms/administrator/#/component/table_manager/view/cu_views

Step3: Now open that file which was saved as 1.svg the below output will be shown.

URL: http://localhost/cuppa_cms/administrator/media/media/upload_files/1.svg executed
svg_ex_cu

@security-provensec

This comment has been minimized.

Copy link

security-provensec commented Sep 3, 2018

Hi Team,

Any updates regarding the patches.

@tufik2

This comment has been minimized.

Copy link
Contributor

tufik2 commented Sep 3, 2018

According to the specification, add <script> inside SVG is not considered a vulnerability and we can give support to it. If any person wants to disable upload .svg because consider that is a security risk, they can go to settings/file and remove it from allowed extensions.

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script

@tufik2 tufik2 closed this Nov 12, 2018

@security-provensec

This comment has been minimized.

Copy link

security-provensec commented Nov 26, 2018

SVG is a special case because even experienced admins may take them for sole
vector images and are unaware, or simply forget about the possibility of
malicious scripts in them. You should have to change the default settings for this i.e. do not allow to upload any malicious svg file.

@security-provensec

This comment has been minimized.

Copy link

security-provensec commented Nov 28, 2018

Hi,
Any Update on this.

Thanks
Provensec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment