New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS via SVG file upload in Rhymix CMS 1.9.8.1 #1088
Comments
|
Thank you for reporting a potential security issue. Unfortunately, we cannot reproduce the problem you reported. All modern browsers simply display the source code of the malicious SVG file instead of treating it as JavaScript and executing it. I suspect that the problem only occurs if the web server is misconfigured and sends the If the content of xss.svg that you pasted above is not the full proof of concept (i.e. mangled by the Github markdown parser), please post a link to the full file so that we can try to reproduce the problem. In the meantime, we will try to filter |
|
Hi Kijin, Here is the crafted code to reproduces the XSS via SVG file upload. <script type="text/javascript"> alert("XSS_By_Provensec"); </script>
Thanks |
|
I still cannot reproduce the problem. Using a modern webserver and a modern browser, visiting XSS.svg displays the source code as if it were any other XML document. A combination of misconfigured webservers and old browsers might be problematic, though, so we will patch Rhymix to disallow |
|
Please check the video PoC. |
|
Hi, XSS crafted code - https://github.com/security-provensec/Payloads/blob/master/XSS.svg Verified on: - Thanks |
|
Thank you for the full POC. I have confirmed that the hack doesn't work in the latest |
|
Fixed in 1.9.8.2 |
Affected software: Rhymix CMS 1.9.8.1
Type of vulnerability: XSS via SVG file upload.
Description: Rhymix CMS is prone to a Persistent Cross-Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.
Remediation: Your script should properly sanitize user input.
<script type="text/javascript"> alert("XSS_By_Provensec"); </script>https://www.owasp.org/index.php/Unrestricted_File_Upload
Here is the crafted code for XSS. save this code as SVG file i.e. xss.svg.
Steps to reproduce the vulnerability:
login site as admin.
Open URL http://127.0.0.33/rhymix-master/index.php?module=admin&act=dispModuleAdminFileBox
Upload SVG file with crafted XSS code (See image XSS1.png).

Open uploaded the file to execute XSS payload (See image XSS2.png).

Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Subodh Kumar
The text was updated successfully, but these errors were encountered: