Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in file content #2338

Closed
dayn1ne opened this issue Jul 16, 2019 · 6 comments
Closed

Stored XSS in file content #2338

dayn1ne opened this issue Jul 16, 2019 · 6 comments
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).

Comments

@dayn1ne
Copy link

dayn1ne commented Jul 16, 2019

Description
Current version of Firefly III Version 4.7.17.2 is vulnerable to stored XSS due to lack of filtration of user-supplied data in files content. Malicious attacker can upload specially crafted image, which contains javascript code. Malicious javascript code will be executed when user view this attachment (http://firefly.host/attachments/view/$file_id$).

Steps to reproduce

  1. Download attached zip file and extract svg image or create svg file with contains from bottom
  2. Create new or update exist transaction and upload svgfile.svg
  3. After uploaded attachment click on filename

PoC image
Screenshot 2019-07-16 at 12 37 30

Image for testing
svgfile.zip

Content of svgfile.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('SVG PoC');
   </script>
</svg>
@JC5
Copy link
Member

JC5 commented Jul 16, 2019

What would be a mitigation for this?

@dayn1ne
Copy link
Author

dayn1ne commented Jul 16, 2019

I'm afraid i cannot give you easy solution with this but there is some workarounds

  1. Dont allow SVG at all
  2. Allow SVG but dont display them, and allow them to be downloaded
  3. Trim out dangerous stuff from the SVG before displaying. (but there is anyway will be tags that you cannot strip)
  4. Convert to a different format (PNG or JPEG)

@dayn1ne
Copy link
Author

dayn1ne commented Jul 16, 2019

There is a nice article about protecting from XSS in SVG files - https://digi.ninja/blog/svg_xss.php

@JC5
Copy link
Member

JC5 commented Jul 16, 2019

Fixed it with a CSP header. I'll push the result later tonight.

@JC5 JC5 closed this as completed in 531161d Jul 16, 2019
@JC5 JC5 added bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release). labels Jul 16, 2019
@JC5
Copy link
Member

JC5 commented Jul 16, 2019

@JC5 JC5 reopened this Jul 16, 2019
@dayn1ne
Copy link
Author

dayn1ne commented Jul 17, 2019

Confirm, bug is not reproducible anymore

@JC5 JC5 closed this as completed Aug 3, 2019
@lock lock bot locked as resolved and limited conversation to collaborators Jan 19, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
bug Verified and replicated bugs and issues. fixed Bugs that are fixed (in a coming release).
Projects
None yet
Development

No branches or pull requests

2 participants