New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross Site Scripting Vulnerability in Latest Release 3.3.13 #1266
Comments
|
uploadify has been removed in 3.4, and there is no updated version. alternate mitigation, custom htaccess rule |
|
May i know when can i expect new release which is having fix for this issue. |
|
It is in alpha now, best estimate 4-8 weeks |
|
@cnb ideas for a htaccess to block this? |
|
Sorry, I'm no expert on htaccess. A possible (drastic) fix might be removing uploadify support by default: GSNOUPLOADIFY set to true, .swf file removed (or renamed) (Ideally GS could have dropzone as a plugin...) |
|
Maybe something like that |
|
I didnt mean to remove it entirely, just filter the injection of query string not sure if its safe to mitigate at all , I think uploadify might take and url even more params that that one, it does preupload checks also. Not sure what moviename is. I guess removing it is the safest bet |
|
I'll suggest to replace existing version with latest version of uploadify which is having fix for this. |
|
I think this is the last version with this license, the next release is totally different |
|
uploadify disabled by default #define('GSNOUPLOADIFY', 0); // 0 to reenable uploadify ( uploadify is outdated flash based and has known xss exploits! USE AT OWN RISK ) |
|
Note that just disabling the setting does not really fix the issue. The file is still accessible at |
|
Oh yeah I forgot part 2 rename, your PR , I just need to test it |
|
A different solution/workaround might be:
And then (perhaps only in backend), always check if uploadify enabled, and:
|
|
That's a good idea also, I was going to add a block rule in htaccess also( the htaccess would use some kind of token to permit it or something or refferer didn't think that far, but a way to check that it is called from embed in page) , and this was to get people used to it and test it going away |
Hi, I would like to report Cross Site Scripting vulnerability in latest release.
Description:
Cross-site scripting (XSS) vulnerability in uploadify flash file might allow remote attackers to inject arbitrary web script or HTML via the multiple parameters.
Steps To Reproduce:
http://[URL]GetSimpleCMS-3.3.13/admin/template/js/uploadify/uploadify.swf?movieName="])}catche(e){alert("xss")}//Fix:
Update uploadify version.
Release Info:
3.3.13
The text was updated successfully, but these errors were encountered: