Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

stored xss in XOOPS 25-2.5.8 #524

Closed
jgj212 opened this issue Jul 18, 2017 · 2 comments
Closed

stored xss in XOOPS 25-2.5.8 #524

jgj212 opened this issue Jul 18, 2017 · 2 comments
Assignees
Labels

Comments

@jgj212
Copy link

jgj212 commented Jul 18, 2017

There is a stored xss in imagemanager.php.

Here is the critical code:
image

After the file is uploaded, some information about the file will be writed to the database.
image_mimetype with value from $uploader->getMediaType() will be writed .
image

$uploader->getMediaType() is finally from the type of uploaded file, it is generated in the browser side, so this will cause a stored xss.

image

Credit: ADLab of Venustech

@mambax7
Copy link
Collaborator

mambax7 commented Jul 18, 2017

Thank you for the report! Could you please test the upcoming XOOPS 2.5.9, because many things have been fixed there:
https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.9-RC2

Also, to make sure that the right people will receive your reports, could you email them to:
security@xoops.org

Thank you!

@jgj212
Copy link
Author

jgj212 commented Jul 18, 2017

@mambax7 "XOOPS 2.5.9 Release Candidate 2" is still affected because it does not filter the MIMETYPE of the uploaded image file.

@geekwright geekwright self-assigned this Jul 24, 2017
@geekwright geekwright added the bug label Jul 24, 2017
geekwright added a commit to geekwright/XoopsCore25 that referenced this issue Jul 24, 2017
In XoopsMediaUploader, there is an option, $allowUnknownTypes,
that could allow a malicious mime-type supplied in an HTTP
request to be returned directly to the caller. Without further
processing by the caller, a carefully crafted mime-type could
be used to facilitate other malicious actions.

This change checks the structure of the mime-type, and will
always reject any upload attempted with a non-conforming
content-type specified (i.e. containing script code.)

Fixes XOOPS#524
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants