Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS via SVG file upload in Rhymix CMS 1.9.8.1 #1088

Closed
security-breachlock opened this issue Sep 16, 2018 · 7 comments
Closed

XSS via SVG file upload in Rhymix CMS 1.9.8.1 #1088

security-breachlock opened this issue Sep 16, 2018 · 7 comments
Labels
bug 버그로 확인된 사항 patch available 패치 있음 표시 (bug와 함께 사용) security 보안취약점

Comments

@security-breachlock
Copy link

security-breachlock commented Sep 16, 2018

Affected software: Rhymix CMS 1.9.8.1

Type of vulnerability: XSS via SVG file upload.

Description: Rhymix CMS is prone to a Persistent Cross-Site Scripting attack that allows a malicious user to inject HTML or scripts that can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site.

Remediation: Your script should properly sanitize user input.
https://www.owasp.org/index.php/Unrestricted_File_Upload
Here is the crafted code for XSS. save this code as SVG file i.e. xss.svg.

<script type="text/javascript"> alert("XSS_By_Provensec"); </script>

Steps to reproduce the vulnerability:

  1. login site as admin.

  2. Open URL http://127.0.0.33/rhymix-master/index.php?module=admin&act=dispModuleAdminFileBox

  3. Upload SVG file with crafted XSS code (See image XSS1.png).
    xss1

  4. Open uploaded the file to execute XSS payload (See image XSS2.png).
    xss2

Discovered by: BreachLock
Website: https://www.breachlock.com
Author: Subodh Kumar

@kijin kijin added bug 버그로 확인된 사항 security 보안취약점 labels Sep 16, 2018
@kijin
Copy link
Member

kijin commented Sep 16, 2018

Thank you for reporting a potential security issue.

Unfortunately, we cannot reproduce the problem you reported. All modern browsers simply display the source code of the malicious SVG file instead of treating it as JavaScript and executing it. I suspect that the problem only occurs if the web server is misconfigured and sends the text/html content type, or if the browser tries to be too clever and guess the content type.

If the content of xss.svg that you pasted above is not the full proof of concept (i.e. mangled by the Github markdown parser), please post a link to the full file so that we can try to reproduce the problem.

In the meantime, we will try to filter <script> tags from uploaded SVG files.

kijin added a commit that referenced this issue Sep 16, 2018
kijin added a commit that referenced this issue Sep 18, 2018
@kijin kijin added the patch available 패치 있음 표시 (bug와 함께 사용) label Sep 18, 2018
@security-breachlock
Copy link
Author

Hi Kijin,

Here is the crafted code to reproduces the XSS via SVG file upload.

<script type="text/javascript"> alert("XSS_By_Provensec"); </script>
  1. Save the above code as.SVG file and upload to the CMS. i.e. XSS.svg.
  2. Visit the link of XSS.svg to get executed the payload.

Thanks

@kijin
Copy link
Member

kijin commented Sep 20, 2018

I still cannot reproduce the problem. Using a modern webserver and a modern browser, visiting XSS.svg displays the source code as if it were any other XML document.

A combination of misconfigured webservers and old browsers might be problematic, though, so we will patch Rhymix to disallow <script> tags and on* events in SVG and other XML-like file formats.

@security-breachlock
Copy link
Author

Please check the video PoC.

XSS in rhymix CMS.zip

@security-breachlock
Copy link
Author

Hi,
In the previous reply, Github parser was destroyed XSS crafted code, so please download XSS crafted code from below link to upload.
I am attaching a video PoC. Please follow the steps to reproduce the vulnerability.

XSS crafted code - https://github.com/security-provensec/Payloads/blob/master/XSS.svg

Verified on: -
Firefox - 56.0.2 (64-bit) on Windows - 10
Google Chrome - Version 69.0.3497.100 (Official Build) (64-bit) Windows - 10

Thanks

@kijin
Copy link
Member

kijin commented Sep 27, 2018

Thank you for the full POC. I have confirmed that the hack doesn't work in the latest develop branch. This will be released as a stable version in a few days.

@kijin
Copy link
Member

kijin commented Oct 4, 2018

Fixed in 1.9.8.2

@kijin kijin closed this as completed Oct 4, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug 버그로 확인된 사항 patch available 패치 있음 표시 (bug와 함께 사용) security 보안취약점
Projects
None yet
Development

No branches or pull requests

2 participants