Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS (via SVG file upload) in CuppaCMS #3

Closed
security-breachlock opened this issue Aug 16, 2018 · 4 comments
Closed

XSS (via SVG file upload) in CuppaCMS #3

security-breachlock opened this issue Aug 16, 2018 · 4 comments

Comments

@security-breachlock
Copy link

security-breachlock commented Aug 16, 2018

Affected software: CuppaCMS

Type of vulnerability: XSS (via SVG file upload)

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.

Proof of concept:

Step1: Login to the cuppa cms.
Step2: In the table manager section, add a new file and there is an upload option choose files and upload a malicious SVG file.
URL: http://localhost/cuppa_cms/administrator/#/component/table_manager/view/cu_views

Step3: Now open that file which was saved as 1.svg the below output will be shown.

URL: http://localhost/cuppa_cms/administrator/media/media/upload_files/1.svg executed
svg_ex_cu

@security-breachlock
Copy link
Author

Hi Team,

Any updates regarding the patches.

@tufik2
Copy link
Contributor

tufik2 commented Sep 3, 2018

According to the specification, add <script> inside SVG is not considered a vulnerability and we can give support to it. If any person wants to disable upload .svg because consider that is a security risk, they can go to settings/file and remove it from allowed extensions.

https://developer.mozilla.org/en-US/docs/Web/SVG/Element/script

@tufik2 tufik2 closed this as completed Nov 12, 2018
@security-breachlock
Copy link
Author

security-breachlock commented Nov 26, 2018

SVG is a special case because even experienced admins may take them for sole
vector images and are unaware, or simply forget about the possibility of
malicious scripts in them. You should have to change the default settings for this i.e. do not allow to upload any malicious svg file.

@security-breachlock
Copy link
Author

Hi,
Any Update on this.

Thanks
Provensec

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants