Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2018-7265 - Stored XSS vulnerability resulting from improper handling of uploaded SVG files #631

Closed
Alyssa-o-Herrera opened this issue Feb 20, 2018 · 7 comments
Closed

CVE-2018-7265 - Stored XSS vulnerability resulting from improper handling of uploaded SVG files #631

Alyssa-o-Herrera opened this issue Feb 20, 2018 · 7 comments

Comments

@Alyssa-o-Herrera
Copy link

Alyssa-o-Herrera commented Feb 20, 2018
edited
Loading

During testing of your project, I came across a stored XSS vulnerability that stems from lack of sanitizing and checking integrity of SVG files being uploaded to the server
Reproduction is quite easy as all it requires is going to the image upload feature, then selecting our crafted svg file then visiting the full image to receive the alert.
Svg file code:
https://ghostbin.com/paste/xkj2o
@shish
Copy link
Owner

shish commented Feb 20, 2018

By "visiting the full image" I assume you mean the image URL is in the browser address bar (As opposed to visiting the page which embeds the image?). We're using <img> rather than <embed> which is supposed to stop scripts, but you're right that if the user views the file directly instead of inside HTML, then the browser would treat that as an interactive document...

I'll get researching mitigations for that, though suggestions are welcome if you know of any off the top of your head. Thanks for the report either way :)

@Alyssa-o-Herrera
Copy link
Author

Alyssa-o-Herrera commented Feb 20, 2018
edited
Loading

paragonie/airship@7c9df9a Is how they handled svg files executing JS. Yes, the embedded page on it's own won't execute but seeing the image directly would allow execution of JS in the context of DOM. I'll be requesting a CVE for this issue as well.

@Alyssa-o-Herrera Alyssa-o-Herrera changed the title Stored XSS vulnerability resulting from improper handling of uploaded SVG files CVE-2018-7265 - Stored XSS vulnerability resulting from improper handling of uploaded SVG files Feb 20, 2018
@Alyssa-o-Herrera
Copy link
Author

This has been assigned CVE-2018-7265

@shish
Copy link
Owner

shish commented Feb 20, 2018

I believe this to be fixed in the develop branch in bc68137:

Uploaded file:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" width="100" height="100">
    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
    <script type="text/javascript">
        alert(document.location);
    </script>
</svg>

File served to users:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns="http://www.w3.org/2000/svg" baseProfile="full" width="100" height="100">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"></polygon>
</svg>

Backported to master in 60d693d

@Alyssa-o-Herrera
Copy link
Author

Alright I'll check if it's possible to bypass the solution or not.

@Alyssa-o-Herrera
Copy link
Author

Seems secure. I did some testing against the sanitize and I wasn't able to effectively come up with a manner to exploit it.

@shish
Copy link
Owner

shish commented Feb 22, 2018

Cool, thanks again for making the world a safer place :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@shish @Alyssa-o-Herrera