Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in file content #2338

Closed
dayn1ne opened this issue Jul 16, 2019 · 6 comments

Comments

@dayn1ne
Copy link

commented Jul 16, 2019

Description
Current version of Firefly III Version 4.7.17.2 is vulnerable to stored XSS due to lack of filtration of user-supplied data in files content. Malicious attacker can upload specially crafted image, which contains javascript code. Malicious javascript code will be executed when user view this attachment (http://firefly.host/attachments/view/$file_id$).

Steps to reproduce

  1. Download attached zip file and extract svg image or create svg file with contains from bottom
  2. Create new or update exist transaction and upload svgfile.svg
  3. After uploaded attachment click on filename

PoC image
Screenshot 2019-07-16 at 12 37 30

Image for testing
svgfile.zip

Content of svgfile.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('SVG PoC');
   </script>
</svg>
@JC5

This comment has been minimized.

Copy link
Member

commented Jul 16, 2019

What would be a mitigation for this?

@dayn1ne

This comment has been minimized.

Copy link
Author

commented Jul 16, 2019

I'm afraid i cannot give you easy solution with this but there is some workarounds

  1. Dont allow SVG at all
  2. Allow SVG but dont display them, and allow them to be downloaded
  3. Trim out dangerous stuff from the SVG before displaying. (but there is anyway will be tags that you cannot strip)
  4. Convert to a different format (PNG or JPEG)
@dayn1ne

This comment has been minimized.

Copy link
Author

commented Jul 16, 2019

There is a nice article about protecting from XSS in SVG files - https://digi.ninja/blog/svg_xss.php

@JC5

This comment has been minimized.

Copy link
Member

commented Jul 16, 2019

Fixed it with a CSP header. I'll push the result later tonight.

@JC5 JC5 closed this in 531161d Jul 16, 2019

@JC5 JC5 added bug fixed labels Jul 16, 2019

@JC5

This comment has been minimized.

@JC5 JC5 reopened this Jul 16, 2019

@dayn1ne

This comment has been minimized.

Copy link
Author

commented Jul 17, 2019

Confirm, bug is not reproducible anymore

@JC5 JC5 closed this Aug 3, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.