Skip to content
This repository has been archived by the owner on Dec 19, 2023. It is now read-only.

Stored Cross Site Scripting (Authenticated) via Unrestricted file upload. #9

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Stored Cross Site Scripting (Authenticated) via Unrestricted file upload. #9

wants to merge 2 commits into from

Conversation

ghost
Copy link

@ghost ghost commented May 6, 2021

📊 Metadata *

Bounty URL: https://huntr.dev/bounties/6-other-monicahq/monica

⚙️ Description *

SVG files are supported by monica, this means that monica is vulnerable to one of the oldest XSS attacks in the book. I added a ‘sanitiser’ to clear SVG files from any executable code e.g. the onload= attribute.

💻 Technical Description *

I added an if (extension == ‘svg’) (pseudocode) to check whether the uploaded file is a *.svg file if so, it calls $this->sanitiseSVG(). Then, I create a DOMDocument object to parse the file as XML and make my life 100% easier. Finally, I loop through all SVG elements and check whether the element is in the whitelist (from https://github.com/alnorris/SVG-Sanitizer/blob/master/SvgSanitizer.php ) - I used a whitelist here in case the SVG specification changes to add additional scripting features - if the element isn’t in the whitelist, I remove it; if it is, I then loop through all of it’s attributes using a similar whitelist (again, from the above link) and remove if necessary. Unfortunately, this fix only applies to newly uploaded images, so old images, or images sent from an older version, could still have an effect.

🐛 Proof of Concept (PoC) *

Anywhere you can upload images (contact’s profile tab for this example), upload a *.svg file with an onload= attribute or something similar, e.g.

<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" onload="alert(1);">
  <circle />
</svg>

gives this response:
Screenshot_2021-04-26_16-21-11

🔥 Proof of Fix (PoF) *

The same SVG file used above no longer causes the alert.

👍 User Acceptance Testing (UAT)

N/A

@huntr-helper
Copy link

👋 Hello, @dependabot-preview[bot]. @bolshoytoster has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@dependabot-preview[bot] - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@huntr-helper @bolshoytoster