Description

the application is accepting SVG files as an image and applies a sanitize on the SVG content to avoid XSS attacks using the following snippet of code

} else if ($ext === 'svg') {

    if (is_file($filePath)) {
        $sanitizer = new \enshrined\svgSanitize\Sanitizer();
        // Load the dirty svg
        $dirtySVG = file_get_contents($filePath);
            // Pass it to the sanitizer and get it back clean
        $cleanSVG = $sanitizer->sanitize($dirtySVG);
        file_put_contents($filePath, $cleanSVG);

    }
    $valid = true;
}

the main point here is if the extension is svg the cleaning will happen so I could bypass it by uploading a file with the extension name Svg not svg just by making the s capital letter this will break the if statement and will bypass the cleaning of XSS payloads.

The following is the content used as a XSS payload

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert(document.location);
   </script>
</svg>

to get the uploading request you can use any uploading function like the one in this page to upload image to the page http://192.168.61.130/test/microweber-master/admin/product/15/edit the request sent to /plupload

Impact

This finding could be used to execute JS code on the users who will open the link of the SVG file.