View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0029135 | mantisbt | security | public | 2021-10-03 12:53 | 2022-06-24 04:05 |
Reporter | Devendra Bhatla | Assigned To | dregad | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.2 | ||||
Target Version | 2.25.5 | Fixed in Version | 2.25.5 | ||
Summary | 0029135: CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection | ||||
Description | File upload vulnerability is a major problem with web-based applications. In many web servers, this vulnerability creates a lot of issue. Here in this case If svg file is uploaded with some style in it leads to CSS Injection. Whenever a File is uploaded to a web server it should be checked thoroughly at client and server side both, to check this below best practice by OWASP can be followed in order to reduce risk. Allow Listing File Extensions Below is the reference Link to understand the risk in more detail | ||||
Steps To Reproduce | Step 1: Login into the application as a reporter. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
I don't see how this can be prevented, other than blocking SVG format entirely. Any advice ? |
|
This can be prevented if you allow all the uploaded file to be downloaded at the client side otherwise you can also restrict file execution in php or if possible you can block svg format entirely as it is not much usable extension. Reference link to restrict file execution: The above link will help restricting svg file to execute at client side and the user can download and vew its content. Please let me know if this works. |
|
@dregad any update on this ? |
|
Hi @dregad |
|
Any progress on this ? |
|
Hi @dregad Are we still stuck on the remediation ? or please let me know if there is some progress on this ? |
|
I tried various things to prevent CSS injection via SVG files, but couldn't find a good way to block it without altering the SVG's contents, so I think the safest approach is to prevent uploading of such files in the first place by setting Note that this is not an actual fix though, just a workaround that admins could easily override (and would of course not automatically get after upgrading, without a manual change to their configuration, if they have already customized $g_disallowed_files). |
|
CVE Request 1282365 sent |
|
CVE-2022-33910 assigned |
|
@Devendra Bhatla attached is a proposed patch for review, thanks in advance for your feedback CVE-2022-33910.patch (2,338 bytes)
diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 66f3a63aa..eefb01355 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -1976,19 +1976,31 @@ $g_max_file_size = 5 * 1024 * 1024; $g_file_upload_max_num = 10; /** - * Files that are allowed or not allowed. Separate items by commas. - * eg. 'php,html,java,exe,pl' - * if $g_allowed_files is filled in NO other file types will be allowed. - * $g_disallowed_files takes precedence over $g_allowed_files + * Authorized file types (whitelist). + * + * If $g_allowed_files is filled in, NO other file types will be allowed. If + * empty, any extensions not specifically excluded by $g_disallowed_files list + * will be authorized ($g_disallowed_files takes precedence over $g_allowed_files). + * Separate items by commas, e.g. 'bmp,gif,jpg,png,txt,zip'. + * + * @see $g_allowed_files * @global string $g_allowed_files */ $g_allowed_files = ''; /** + * Forbidden file types (blacklist). + * + * All file extensions in this list will be unauthorized. + * Separate items by commas, e.g. 'php,html,java,exe,pl,svg'. + * + * SVG files are disabled by default, for security reasons. It is recommended to + * also disable all extensions that can be executed by your server; * + * @see $g_allowed_files * @global string $g_disallowed_files */ -$g_disallowed_files = ''; +$g_disallowed_files = 'svg'; /** * prefix to be used for the file system names of files uploaded to projects. diff --git a/file_download.php b/file_download.php index 9ed9b5f44..005fe4d54 100644 --- a/file_download.php +++ b/file_download.php @@ -202,9 +202,18 @@ if( $t_content_type_override ) { # https://www.thoughtco.com/mime-types-by-content-type-3469108 $t_show_inline = $f_show_inline; $t_mime_force_inline = array( - 'image/jpeg', 'image/gif', 'image/tiff', 'image/bmp', 'image/svg+xml', 'image/png', - 'application/pdf' ); -$t_mime_force_attachment = array( 'application/x-shockwave-flash', 'text/html' ); + 'application/pdf', + 'image/bmp', + 'image/gif', + 'image/jpeg', + 'image/png', + 'image/tiff', +); +$t_mime_force_attachment = array( + 'application/x-shockwave-flash', + 'image/svg+xml', # SVG could contain CSS or scripting, see #30384 + 'text/html', +); # extract mime type from content type $t_mime_type = explode( ';', $t_content_type, 2 ); |
|
MantisBT: master-2.25 26676219 2022-06-15 12:28 Details Diff |
Disable SVG files upload by default SVG files are not just images, they are XML files and as such could contain inline CSS or scripting which could be used as attack vector for stored XSS. Devendra Bhatla and Febin Mon Saji <febinrev811@gmail.com> both and independently reported this vulnerability. Fixes 0029135, CVE-2022-33910 |
Affected Issues 0029135 |
|
mod - config_defaults_inc.php | Diff File | ||
mod - docbook/Admin_Guide/en-US/config/uploads.xml | Diff File |