Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Storage type xss by uploading svg files #52

Closed
yaoyao6688 opened this issue Oct 14, 2019 · 1 comment
Closed

Storage type xss by uploading svg files #52

yaoyao6688 opened this issue Oct 14, 2019 · 1 comment
Assignees

Comments

@yaoyao6688
Copy link

yaoyao6688 commented Oct 14, 2019

Version impacted
v1.11.4
Vulnerability details(POC)
The file with the suffix .svg saves the following code. After uploading to the server, you can execute any js code. If the ordinary user has permission to upload files, the administrator user accidentally accesses the malicious svg uploaded by the user, then the ordinary user. It is possible to obtain the cookie information of the administrator user, resulting in an increase in the rights of the ordinary user. It is dangerous for the system to allow uploading svg files.

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>

图片.png
Access the file and find that malicious code has been executed
图片.png
Vulnerability related code
The media_uploadAction function in /src/core/controllers/admin.php allows uploading svg files

  function media_uploadAction(){
    if(!gForm::posted()) {
      echo "Permission denied.";
      exit;
    }
    if(isset($_FILES['uploadfiles'])) {
      if (isset($_FILES['uploadfiles']["error"])) if ($_FILES['uploadfiles']["error"] > 0) {
        echo "Error: " . $_FILES['uploadfiles']['error'] . "<br>";
      }
      $path = router::post('path','assets');
      if($path[0]=='.') $path='assets';
      $tmp_file = $_FILES['uploadfiles']['tmp_name'];
      $name = htmlentities($_FILES['uploadfiles']['name']);
      if(in_array(pathinfo($name, PATHINFO_EXTENSION),["svg","jpg","JPG","jpeg","JPEG","png","PNG","gif","GIF"])) {
        $path = SITE_PATH.$path.'/'.$name;
        if(!move_uploaded_file($tmp_file, $path)) {
          echo "Error: could not upload file!<br>";
        }
        $maxWidth = gila::config('maxImgWidth') ?? 0;
        $maxHeight = gila::config('maxImgHeight') ?? 0;
        if($maxWidth>0 && $maxHeight>0) {
          image::make_thumb($path, $path, $maxWidth, $maxHeight);
        }
      } else echo "<div class='alert error'>Error: not a media file!</div>";
    }

    self::mediaAction();
  }

Repair suggestion
Remove svg files from the list

@vzuburlis vzuburlis self-assigned this Oct 16, 2019
@vzuburlis
Copy link
Member

I will remove svg from uploading for now, but I will let open the issue in hope that we can fins another solution.

@vzuburlis vzuburlis added this to Backlog in Content Editing Jan 27, 2020
@vzuburlis vzuburlis moved this from Backlog to To do in Content Editing Apr 21, 2020
@vzuburlis vzuburlis moved this from To do to In progress in Content Editing Apr 22, 2020
@vzuburlis vzuburlis moved this from In progress to Done in Content Editing May 1, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
No open projects
Development

No branches or pull requests

2 participants