Describe the bug This vulnerability can potentially enable any student to takeover the account of TA if they open the attachment as the cookie gets exposed.
A student logged in via username/password student:student has the ability to submit submissions for grading.
This can be then viewed by TA from their account via ta:ta . When they click on the file for grading, stored xss gets triggered.
Expected behavior
.svg files must be stopped from getting uploaded by any student during submissions.
In the new submission upload the .svg file.
The svg file can be created by saving as .svg
Github doesn't allow attaching svg and neither its code so here is the link to create a sample malicious svg file.
Login as ta and open the same for grading. The XSS gets triggered alerting the cookies.
Screenshots
Additional context
We may try to block .svg files from uploading and also try to drop the Content-Type: image/svg+xml.
Adding content-disposition: attachment as mentioned here may help for the mitigation.
The text was updated successfully, but these errors were encountered:
Describe the bug
This vulnerability can potentially enable any student to takeover the account of TA if they open the attachment as the cookie gets exposed.
A student logged in via username/password student:student has the ability to submit submissions for grading.
This can be then viewed by TA from their account via ta:ta . When they click on the file for grading, stored xss gets triggered.
Expected behavior
.svg files must be stopped from getting uploaded by any student during submissions.
To Reproduce
Steps to reproduce the behavior:
As student login, via student:student
Go here http://localhost:1501/s20/tutorial/gradeable/01_simple_python (as ex.)
In the new submission upload the .svg file.
The svg file can be created by saving as .svg
Github doesn't allow attaching svg and neither its code so here is the link to create a sample malicious svg file.
Login as ta and open the same for grading. The XSS gets triggered alerting the cookies.
Screenshots


Additional context
We may try to block .svg files from uploading and also try to drop the Content-Type: image/svg+xml.
Adding content-disposition: attachment as mentioned here may help for the mitigation.
The text was updated successfully, but these errors were encountered: