New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS via svg fileupload : Pluck v-4.7.7 #63
Comments
|
I don't see the issue with this. If I upload a XSS infected file to the website I know the password. If I know the password I can do worse things.. As for now I don't see a solution to prevent this. |
|
Svg is rare enough that we could disallow. However the same vulnerability
could exist with more common file types like pdf
…On Thu, Aug 16, 2018, 7:19 AM Bas Steelooper ***@***.***> wrote:
I don't see the issue with this. If I upload a XSS infected file to the
website I know the password. If I know the password I can do worse things..
As for now I don't see a solution to prevent this.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#63 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABfAPk3GizAgvB_V_krem0G85x-IFSm3ks5uRVUugaJpZM4V5mB7>
.
|
|
I have a few designers who publish svg files on their website of projects they have made. Disalowing would hurt them. We could create a settings page where someone could allow filetypes, and default to only doc, docx, pdf, xls, xlsx, zip, rar, tar.gz? |
|
I don't think it even has to be the default, as long as there is the option
to disallow.
…On Mon, Aug 27, 2018, 3:48 AM Bas Steelooper ***@***.***> wrote:
I have a few designers who publish svg files on their website of projects
they have made. Disalowing would hurt them.
We could create a settings page where someone could allow filetypes, and
default to only doc, docx, pdf, xls, xlsx, zip, rar, tar.gz?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#63 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ABfAPixQtSs7aNKBhrevfmGwMDKMENYTks5uU6Q7gaJpZM4V5mB7>
.
|
|
Hi, You can follow the following patches to fix the issue. If you have another idea of patching the issue it is more appreciated. You can check the content inside the SVG if it does not have valid signature then do not upload it. Or You can set an email verification mechanism to authenticate the file upload process. Suppose if an attacker uploaded a malicious script, so it will send an email to admin that confirm the file upload and validate the process. Or And you can allow limited file types. You can enable a CSS or bootstrap for styling. Thanks and Regards, |
|
Dear Ritesh, Check the content inside the file: Pluck is not a Virusscanner, there are a million different filetypes which can be used in the same manor.. Verification mechanism: A person needs to be logged on before you can upload a file to the system. You need the password to logon and reach this page. With the same credentials you can change the mailadres of the website and by this receive the authentication email. Allow limited filetypes: This upload is introduced to allow all files to the system and make them available for usage. who are we to define what people can and cannot upload to their system. Again you need the password to upload files. So all settings can be modified to circumvent all solutions put in place. Additional: I was thinking to modify the .htaccess in the files folder to set the header to application/octet-stream to force a download. But this would change the usage and function of this option all together also. Regards, |
|
This is an invalid report. With the password the complete website can be taken over. Without the password this is not exploitable. |
Affected software: Pluck v-4.7.7
Author: Ritesh kumar
Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.
Steps to reproduce:
1: login to pluck.
2: click on pages->manage files then browse and upload an malicious svg file which contain xss payload.
3: Now open that file which was saved as xss.svg the below output will be shown.
URL Where XSS got executed- http://127.0.0.62/files/xss.svg

Vulnerable url: http://127.0.0.62/admin.php?action=files
The text was updated successfully, but these errors were encountered: