Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS via svg fileupload : Pluck v-4.7.7 #63

Closed
riteshgupta1993 opened this issue Aug 12, 2018 · 7 comments
Closed

XSS via svg fileupload : Pluck v-4.7.7 #63

riteshgupta1993 opened this issue Aug 12, 2018 · 7 comments

Comments

@riteshgupta1993
Copy link

Affected software: Pluck v-4.7.7

Author: Ritesh kumar

Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.

Steps to reproduce:
1: login to pluck.
2: click on pages->manage files then browse and upload an malicious svg file which contain xss payload.
3: Now open that file which was saved as xss.svg the below output will be shown.

URL Where XSS got executed- http://127.0.0.62/files/xss.svg
capture
Vulnerable url: http://127.0.0.62/admin.php?action=files

@BSteelooper
Copy link
Contributor

I don't see the issue with this. If I upload a XSS infected file to the website I know the password. If I know the password I can do worse things..

As for now I don't see a solution to prevent this.

@billcreswell
Copy link
Contributor

billcreswell commented Aug 16, 2018 via email

@BSteelooper
Copy link
Contributor

I have a few designers who publish svg files on their website of projects they have made. Disalowing would hurt them.

We could create a settings page where someone could allow filetypes, and default to only doc, docx, pdf, xls, xlsx, zip, rar, tar.gz?

@billcreswell
Copy link
Contributor

billcreswell commented Aug 27, 2018 via email

@riteshgupta1993
Copy link
Author

Hi,

You can follow the following patches to fix the issue. If you have another idea of patching the issue it is more appreciated.

You can check the content inside the SVG if it does not have valid signature then do not upload it.

Or

You can set an email verification mechanism to authenticate the file upload process. Suppose if an attacker uploaded a malicious script, so it will send an email to admin that confirm the file upload and validate the process.

Or

And you can allow limited file types. You can enable a CSS or bootstrap for styling.

Thanks and Regards,
Ritesh Kumar

@BSteelooper
Copy link
Contributor

Dear Ritesh,

Check the content inside the file: Pluck is not a Virusscanner, there are a million different filetypes which can be used in the same manor..
To only check inside the SVG will give a false sense of security to the other filetypes, also is it possible to change the tag names inside the SVG to prevent detection. Also preventing scripts in SVG removes legitimate functionality from these files.
Someone can always install a virusscanner themselves for instance: https://github.com/phpMussel/phpMussel

Verification mechanism: A person needs to be logged on before you can upload a file to the system. You need the password to logon and reach this page. With the same credentials you can change the mailadres of the website and by this receive the authentication email.

Allow limited filetypes: This upload is introduced to allow all files to the system and make them available for usage. who are we to define what people can and cannot upload to their system. Again you need the password to upload files. So all settings can be modified to circumvent all solutions put in place.

Additional: I was thinking to modify the .htaccess in the files folder to set the header to application/octet-stream to force a download. But this would change the usage and function of this option all together also.

Regards,
Bas

@BSteelooper
Copy link
Contributor

This is an invalid report. With the password the complete website can be taken over. Without the password this is not exploitable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants