Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross Site Scripting Vulnerability in Latest Release 3.3.13 #1266

Open
MrR3boot opened this issue Mar 31, 2018 · 16 comments
Open

Cross Site Scripting Vulnerability in Latest Release 3.3.13 #1266

MrR3boot opened this issue Mar 31, 2018 · 16 comments
Labels
Milestone

Comments

@MrR3boot
Copy link

Hi, I would like to report Cross Site Scripting vulnerability in latest release.

Description:

Cross-site scripting (XSS) vulnerability in uploadify flash file might allow remote attackers to inject arbitrary web script or HTML via the multiple parameters.

Steps To Reproduce:

  1. Open below URL in browser which supports flash.
    http://[URL]GetSimpleCMS-3.3.13/admin/template/js/uploadify/uploadify.swf?movieName="])}catche(e){alert("xss")}//

Fix:

Update uploadify version.

Release Info:

3.3.13

@tablatronix
Copy link
Member

tablatronix commented Mar 31, 2018

uploadify has been removed in 3.4, and there is no updated version.
mitigation is to set GSNOUPLOADIFY and fallback to html uploads, or update to 3.4 when it is released.

alternate mitigation, custom htaccess rule

@tablatronix tablatronix added this to the 3.3.14 milestone Mar 31, 2018
@MrR3boot
Copy link
Author

May i know when can i expect new release which is having fix for this issue.

@tablatronix
Copy link
Member

It is in alpha now, best estimate 4-8 weeks

@tablatronix
Copy link
Member

@cnb ideas for a htaccess to block this?

@cnb
Copy link
Contributor

cnb commented Apr 1, 2018

Sorry, I'm no expert on htaccess.
Solution would be prevent hotlinking uploadify.swf ?

A possible (drastic) fix might be removing uploadify support by default: GSNOUPLOADIFY set to true, .swf file removed (or renamed)

(Ideally GS could have dropzone as a plugin...)

@bigin
Copy link

bigin commented Apr 1, 2018

Maybe something like that

 # Block access to uploadify.swf file
 RewriteCond %{REQUEST_URI} (^|/)uploadify\.swf [OR]

@tablatronix
Copy link
Member

tablatronix commented Apr 1, 2018

I didnt mean to remove it entirely, just filter the injection of query string

not sure if its safe to mitigate at all , I think uploadify might take and url even more params that that one, it does preupload checks also. Not sure what moviename is.

I guess removing it is the safest bet

@MrR3boot
Copy link
Author

MrR3boot commented Apr 1, 2018

I'll suggest to replace existing version with latest version of uploadify which is having fix for this.

@tablatronix
Copy link
Member

I think this is the last version with this license, the next release is totally different

@cnb
Copy link
Contributor

cnb commented May 13, 2018

CVE-2018-9173

@cnb
Copy link
Contributor

cnb commented Aug 11, 2018

#1280

@tablatronix tablatronix modified the milestones: 3.3.14, 3.3.16 May 24, 2019
tablatronix pushed a commit that referenced this issue May 24, 2019
Disabled nouploadify by default
@tablatronix
Copy link
Member

uploadify disabled by default

#define('GSNOUPLOADIFY', 0); // 0 to reenable uploadify ( uploadify is outdated flash based and has known xss exploits! USE AT OWN RISK )

@cnb
Copy link
Contributor

cnb commented May 24, 2019

Note that just disabling the setting does not really fix the issue. The file is still accessible at /admin/template/js/uploadify/uploadify.swf

@tablatronix
Copy link
Member

Oh yeah I forgot part 2 rename, your PR , I just need to test it

@tablatronix tablatronix reopened this May 24, 2019
@cnb
Copy link
Contributor

cnb commented May 25, 2019

A different solution/workaround might be:

  • uploadify disabled by default

And then (perhaps only in backend), always check if uploadify enabled, and:

  • if yes, rename file to .swf
  • if not, rename file to .tmp

@tablatronix
Copy link
Member

tablatronix commented May 25, 2019

That's a good idea also, I was going to add a block rule in htaccess also( the htaccess would use some kind of token to permit it or something or refferer didn't think that far, but a way to check that it is called from embed in page) , and this was to get people used to it and test it going away

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants