XSS using user uploaded SVG files

Bug #1061980 reported by Hugh Davenport on 2012-10-05
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Critical
Hugh Davenport
1.4
Critical
Hugh Davenport
1.5
Critical
Hugh Davenport

Bug Description

I have come across a serious security issue on Mahara version 1.5 which can
allow an attacker to store malicious script on latest version of Mahara.

*Testing Environent:*
*
Operating System:* Windows 7 (32-bit)
*Web Server: *WAMP v2.2
*Browser:* Mozilla Firefox v15.0.1

*Vulnerable Path URL Location:* http://localhost/mahara/artefact/file/

*Description*: I uploaded a SVG file with malicious payload, Since there
was no validation of the malicious content, I was successful to upload a
file with malicous script.

Kindly find the screenshots as an attachment along with this mail.

I request you to kindly implement proper sanitization for handling file
contents.

Thank You.

CVE References

Hugh Davenport (hugh-davenport) wrote :

Confirmed for all versions back to 1.2, patches are available and will be uploaded in the next few days

Changed in mahara:
status: Confirmed → In Progress
Melissa Draper (melissa) on 2012-10-10
visibility: private → public
Shen (shzhang) wrote :

Where can I find the patches? We are looking at get this fixed on the individual files instead of doing a whole system upgrade.

Thanks.

Hugh Davenport (hugh-davenport) wrote :

This patch depends on bug #1055232

Hugh Davenport (hugh-davenport) wrote :

Hi Shen,

If you would prefer using git to patch your code, see the latest commits on the branches 1.4_STABLE, 1.5_STABLE, 1.6_STABLE and master (1.6 and master may not be the latest patches as are in current development).

Cheers,

Hugh

Changed in mahara:
status: In Progress → Fix Released

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 status fixreleased
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iJwEAQECAAYFAlCbHO8ACgkQuMoJ2LQ3zxH8TAP/YN4BiCJZsn5a899/0UzV31Qg
lM8LXAwZWa6zFv6t0BQUHCqe6eFK9wPp51qgCWWXjUZ3vvvVcsyeWp6626aBFKSU
pCQXI9E7huPw802nJQ9WcZXRBUmgw87ww72Tx4mybnu7SPSrkZgXdnPGSMwDs89N
oWvTpl7Xuac48e6p0lU=
=ouU+
-----END PGP SIGNATURE-----

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers