View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0030384 | mantisbt | security | public | 2022-05-25 10:33 | 2022-06-24 04:05 |
Reporter | febin | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 2.25.4 | ||||
Target Version | 2.25.5 | Fixed in Version | 2.25.5 | ||
Summary | 0030384: CVE-2022-33910: Stored XSS via SVG file upload | ||||
Description | MantisBT allows SVG files and that leads to Stored Cross-Site Scripting to account takeover. SVG files are technically XML-based images that can include javascript in them. An attacker can send a maliciously crafted SVG file by attaching it with an issue/bug report and when a user or an admin clicks on the attachment, it will get opened in the browser tab instead of downloading it as a file and the javascript will get executed in his browser, that is capable of doing various stuff like stealing cookies, sending requests on behalf of that user, etc., Severity: HIGH Remediation: Restrict SVG files or sanitize javascript from the SVG data. | ||||
Steps To Reproduce |
Note: I have attached a sample SVG file with this report as a proof of concept, you can view the SVG file's source code in your browser. The javascript code might not execute because of the CSP that is implemented in this instance, but not all other instances would have CSP implemented and that makes this a valid security issue. POC (SVG source code):
| ||||
Additional Information | I wish to be credited for the finding and for my name to be included in the CVE report Name: FEBIN MON SAJI | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
Thanks for the detailed report. I confirm the problem, will look into it. A similar issue (0029135) was reported a few months ago using the same SVG attack vector, except that it refers to CSS injection, but I believe it is the same root cause. |
|
CSP headers are standard in MantisBT and active out of the box on any installation. Of course, there is still an issue when
I don't see at the moment how this can be prevented, as changing the content itself when uploading or downloading is not an option. One more option for MantisBT administrators is to use the following options to configure allowed / non-allowed attachment types.
@dregad, we could increase the out of the box security by changing the default settings to something like |
|
I agree that we should not mess with changing file contents. My initial idea was to simply add So I did some research and found this article https://digi.ninja/blog/svg_xss.php that details the various use cases where users are vulnerable to scripted SVG files. The only one that concerns us is the direct view scenario. Since we channel all attachments downloads through file_download.php, it should be fairly straightforward to force SVG files to download instead of being displayed, by means of a |
|
Actually this prevents scripts execution, but an attacker could still play CSS tricks (0029135), so I think we also need to disable the ability to upload SVG to be on the safe side. |
|
CVE Request 1282365 sent |
|
CVE-2022-33910 assigned |
|
@febin attached is a proposed patch for review, thanks in advance for your feedback CVE-2022-33910.patch (2,338 bytes)
diff --git a/config_defaults_inc.php b/config_defaults_inc.php index 66f3a63aa..eefb01355 100644 --- a/config_defaults_inc.php +++ b/config_defaults_inc.php @@ -1976,19 +1976,31 @@ $g_max_file_size = 5 * 1024 * 1024; $g_file_upload_max_num = 10; /** - * Files that are allowed or not allowed. Separate items by commas. - * eg. 'php,html,java,exe,pl' - * if $g_allowed_files is filled in NO other file types will be allowed. - * $g_disallowed_files takes precedence over $g_allowed_files + * Authorized file types (whitelist). + * + * If $g_allowed_files is filled in, NO other file types will be allowed. If + * empty, any extensions not specifically excluded by $g_disallowed_files list + * will be authorized ($g_disallowed_files takes precedence over $g_allowed_files). + * Separate items by commas, e.g. 'bmp,gif,jpg,png,txt,zip'. + * + * @see $g_allowed_files * @global string $g_allowed_files */ $g_allowed_files = ''; /** + * Forbidden file types (blacklist). + * + * All file extensions in this list will be unauthorized. + * Separate items by commas, e.g. 'php,html,java,exe,pl,svg'. + * + * SVG files are disabled by default, for security reasons. It is recommended to + * also disable all extensions that can be executed by your server; * + * @see $g_allowed_files * @global string $g_disallowed_files */ -$g_disallowed_files = ''; +$g_disallowed_files = 'svg'; /** * prefix to be used for the file system names of files uploaded to projects. diff --git a/file_download.php b/file_download.php index 9ed9b5f44..005fe4d54 100644 --- a/file_download.php +++ b/file_download.php @@ -202,9 +202,18 @@ if( $t_content_type_override ) { # https://www.thoughtco.com/mime-types-by-content-type-3469108 $t_show_inline = $f_show_inline; $t_mime_force_inline = array( - 'image/jpeg', 'image/gif', 'image/tiff', 'image/bmp', 'image/svg+xml', 'image/png', - 'application/pdf' ); -$t_mime_force_attachment = array( 'application/x-shockwave-flash', 'text/html' ); + 'application/pdf', + 'image/bmp', + 'image/gif', + 'image/jpeg', + 'image/png', + 'image/tiff', +); +$t_mime_force_attachment = array( + 'application/x-shockwave-flash', + 'image/svg+xml', # SVG could contain CSS or scripting, see #30384 + 'text/html', +); # extract mime type from content type $t_mime_type = explode( ';', $t_content_type, 2 ); |
|
Svg can include html using <foreignObject> element(works on Firefox only), that can be used for phishing or similar stuff. |
|
@febin I'm not sure I get your point. The proposed patch completely prevents upload of SVG files by default (can be changed by admin), and as an extra safety measure ensures the SVG files are always downloaded as attachments instead of being opened in a browser tab. I believe other uses cases (display in IMG tags) are not exposed to the vulnerability. Please clarify and correct me if I'm wrong. |
|
MantisBT: master-2.25 0d1d7b65 2022-06-13 06:03 Details Diff |
Code cleanup: 1 array element per row, sorted Issue 0030384 |
Affected Issues 0030384 |
|
mod - file_download.php | Diff File | ||
MantisBT: master-2.25 262ecdde 2022-06-13 06:09 Details Diff |
Prevent script execution when viewing SVG files A cross-site scripting vulnerability allows remote attackers to attach maliciously crafted SVG files to issue reports or bugnotes. When a user or an admin clicks on the attachment, file_download.php will it open the SVG in a browser tab instead of downloading it as a file, causing the javascript to execute. This risk is mitigated by MantisBT's default Content Security Policy, which prevents execution of inline scripts. This fixes the issue by forcing download as attachment for files of image/svg+xml mime type. Devendra Bhatla and Febin Mon Saji <febinrev811@gmail.com> both and independently reported this vulnerability. Fixes 0030384, CVE-2022-33910 |
Affected Issues 0030384 |
|
mod - file_download.php | Diff File |