View Issue Details

IDProjectCategoryView StatusLast Update
0029135mantisbtsecuritypublic2022-06-24 04:05
ReporterDevendra Bhatla Assigned Todregad  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Product Version2.25.2 
Target Version2.25.5Fixed in Version2.25.5 
Summary0029135: CVE-2022-33910: Unrestricted SVG File Upload leads to CSS Injection
Description

File upload vulnerability is a major problem with web-based applications. In many web servers, this vulnerability creates a lot of issue. Here in this case If svg file is uploaded with some style in it leads to CSS Injection.

Whenever a File is uploaded to a web server it should be checked thoroughly at client and server side both, to check this below best practice by OWASP can be followed in order to reduce risk.

Allow Listing File Extensions
“Content-Type” Header Validation

Below is the reference Link to understand the risk in more detail
https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload

Steps To Reproduce

Step 1: Login into the application as a reporter.
Step 2: Navigate to Report Issue and fill in all the required details.
Step 3: Now create a svg file with some css in it.
Step 4: Now upload this svg file and submit the form. Once the form is submitted, navigate to the reported issue and click on the uploaded file to view it.
Step 5: Now as it can be observed the style placed in svg file is successfully executed.

TagsNo tags attached.
Attached Files

Relationships

related to 0030384 closeddregad CVE-2022-33910: Stored XSS via SVG file upload 

Activities

dregad

dregad

2021-10-04 03:21

developer   ~0065881

I don't see how this can be prevented, other than blocking SVG format entirely. Any advice ?

Devendra Bhatla

Devendra Bhatla

2021-10-04 05:01

reporter   ~0065882

Last edited: 2021-10-04 05:03

This can be prevented if you allow all the uploaded file to be downloaded at the client side otherwise you can also restrict file execution in php or if possible you can block svg format entirely as it is not much usable extension.

Reference link to restrict file execution:
https://medium.com/gretathemes/how-to-disable-php-execution-in-the-uploads-folder-in-wordpress-cd34ca2f1dc8

The above link will help restricting svg file to execute at client side and the user can download and vew its content. Please let me know if this works.

Devendra Bhatla

Devendra Bhatla

2021-10-05 08:13

reporter   ~0065884

@dregad any update on this ?

Devendra Bhatla

Devendra Bhatla

2021-10-07 11:23

reporter   ~0065900

Hi @dregad
Please assign a CVE-ID for this once this will be patched.

Devendra Bhatla

Devendra Bhatla

2021-10-15 01:43

reporter   ~0065914

Any progress on this ?

Devendra Bhatla

Devendra Bhatla

2021-11-30 04:25

reporter   ~0066053

Hi @dregad

Are we still stuck on the remediation ? or please let me know if there is some progress on this ?

dregad

dregad

2022-06-13 06:31

developer   ~0066741

I tried various things to prevent CSS injection via SVG files, but couldn't find a good way to block it without altering the SVG's contents, so I think the safest approach is to prevent uploading of such files in the first place by setting $g_disallowed_files = 'svg'; in config_defaults_inc.php.

Note that this is not an actual fix though, just a workaround that admins could easily override (and would of course not automatically get after upgrading, without a manual change to their configuration, if they have already customized $g_disallowed_files).

dregad

dregad

2022-06-13 06:31

developer   ~0066743

CVE Request 1282365 sent

dregad

dregad

2022-06-17 04:55

developer   ~0066756

CVE-2022-33910 assigned

dregad

dregad

2022-06-17 05:15

developer   ~0066758

@Devendra Bhatla attached is a proposed patch for review, thanks in advance for your feedback

CVE-2022-33910.patch (2,338 bytes)   
diff --git a/config_defaults_inc.php b/config_defaults_inc.php
index 66f3a63aa..eefb01355 100644
--- a/config_defaults_inc.php
+++ b/config_defaults_inc.php
@@ -1976,19 +1976,31 @@ $g_max_file_size = 5 * 1024 * 1024;
 $g_file_upload_max_num = 10;
 
 /**
- * Files that are allowed or not allowed.  Separate items by commas.
- * eg. 'php,html,java,exe,pl'
- * if $g_allowed_files is filled in NO other file types will be allowed.
- * $g_disallowed_files takes precedence over $g_allowed_files
+ * Authorized file types (whitelist).
+ *
+ * If $g_allowed_files is filled in, NO other file types will be allowed. If
+ * empty, any extensions not specifically excluded by $g_disallowed_files list
+ * will be authorized ($g_disallowed_files takes precedence over $g_allowed_files).
+ * Separate items by commas, e.g. 'bmp,gif,jpg,png,txt,zip'.
+ *
+ * @see $g_allowed_files
  * @global string $g_allowed_files
  */
 $g_allowed_files = '';
 
 /**
+ * Forbidden file types (blacklist).
+ *
+ * All file extensions in this list will be unauthorized.
+ * Separate items by commas, e.g. 'php,html,java,exe,pl,svg'.
+ *
+ * SVG files are disabled by default, for security reasons. It is recommended to
+ * also disable all extensions that can be executed by your server;
  *
+ * @see $g_allowed_files
  * @global string $g_disallowed_files
  */
-$g_disallowed_files = '';
+$g_disallowed_files = 'svg';
 
 /**
  * prefix to be used for the file system names of files uploaded to projects.
diff --git a/file_download.php b/file_download.php
index 9ed9b5f44..005fe4d54 100644
--- a/file_download.php
+++ b/file_download.php
@@ -202,9 +202,18 @@ if( $t_content_type_override ) {
 # https://www.thoughtco.com/mime-types-by-content-type-3469108
 $t_show_inline = $f_show_inline;
 $t_mime_force_inline = array(
-	'image/jpeg', 'image/gif', 'image/tiff', 'image/bmp', 'image/svg+xml', 'image/png',
-	'application/pdf' );
-$t_mime_force_attachment = array( 'application/x-shockwave-flash', 'text/html' );
+	'application/pdf',
+	'image/bmp',
+	'image/gif',
+	'image/jpeg',
+	'image/png',
+	'image/tiff',
+);
+$t_mime_force_attachment = array(
+	'application/x-shockwave-flash',
+	'image/svg+xml', # SVG could contain CSS or scripting, see #30384
+	'text/html',
+);
 
 # extract mime type from content type
 $t_mime_type = explode( ';', $t_content_type, 2 );
CVE-2022-33910.patch (2,338 bytes)   

Related Changesets

MantisBT: master-2.25 26676219

2022-06-15 12:28

dregad

Details Diff
Disable SVG files upload by default

SVG files are not just images, they are XML files and as such could
contain inline CSS or scripting which could be used as attack vector
for stored XSS.

Devendra Bhatla and Febin Mon Saji <febinrev811@gmail.com> both and
independently reported this vulnerability.

Fixes 0029135, CVE-2022-33910
Affected Issues
0029135
mod - config_defaults_inc.php Diff File
mod - docbook/Admin_Guide/en-US/config/uploads.xml Diff File