New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS via exiftag #598
Comments
|
I imagined seeing an attachement in the email? Thanks! Is the EXIF tag also not escaped when seeing the details after upload, in the media library? |
|
It is as far as I can see only in the details (i.e. after clicking the button with the tooltip "Media Properties"). |
|
Confirmed. I pushed a first fix now. With the array construction that code is a bit convoluted, do you still see a way to exploit this? The media properties above seem like an equivalent attack vector, but they should not be read directly from the image, unlike the EXIF tags. |
|
Seems fixed, though I see a somewhat obscure other issue: Not sure if there's any risk, it would require something like a multi-editor blog where one editor is not allowed to inject html into a blogpost, but can edit image properties (not even sure if that's possible). But probably better to fix that as well. (In general I wonder how much protection s9y provides in multiuser settings and if this has even been considered before.) |
I admit to also not knowing this. The right management of s9y I never had to deal with.
Yeah. Which image property is the problem here?
I know that we already had the situation that we fixed similar bugs, so I think it's okay to tackle it. But there is of course a limit on how much security we can provide here. |
|
The "Short Comment" field is added as a "Comment". In the dialog to add the image it's escaped, but then it ends up unescaped within the blogpost itself. |
|
Fixed. Thanks! |
Backported from master branch. Signed-off-by: Thomas Hochstein <thh@inter.net>
Backported from master branch. Signed-off-by: Thomas Hochstein <thh@inter.net>

The attached file contains an XSS payload as the camera model EXIF tag.
Uploading it to s9y and looking at the details of the file will execute. The exif tag printing should be escaped. (While this is only self-xss, there are situations where this could still be exploited, imagine someone sending a photo to someone else for a blogpost.)
The text was updated successfully, but these errors were encountered: