Stored XSS Via SVG File Upload in kiwitcms/kiwi

Valid

Reported on

Jan 6th 2023


XSS Via SVG File Upload

When uploading an image file to a bug report, you're able to upload .svg files which aren't properly sanitized before they are rendered, so any embedded Javascript will execute.

Steps To Reproduce

1. Create a bug report
2. Upload a SVG attachment with a Javascript payload embedded. For example, you can use: 

<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>

3. Right-click the file & open it. Your Javascript will execute.

Mitigation

https://github.com/kiwitcms/Kiwi/blob/master/tcms/rpc/api/user.py#L193

Before actually adding the attachment, check the file extension as well as sanitize the attachment data (EX: Such as stripping away Javascript embedded within .SVG files) before allowing it to be uploaded.

Impact

The impact of this vulnerability is that a malicious user can upload a .SVG file with embedded Javascript which can execute on a victim's computer once they open the attachment in another tab. The embedded Javascript can be used to steal session cookies. This can also allow an attacker to use the Kiwi TCMS site to host their malicious .SVG payload and send a link to their uploaded attachment to victims.

We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a year ago
We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back a year ago
1d8
a year ago

Researcher


@admin any way to get an update on this? Perhaps pinging the maintainer again?

Ben Harvie
a year ago

Admin


We don't provide any updates from this point, feel free to try and reach the maintainer yourself.

kiwitcms/kiwi maintainer validated this vulnerability a year ago
1d8 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer marked this as fixed in 12.1 with commit 6617ce a year ago
The fix bounty has been dropped
This vulnerability has now been published 10 months ago
to join this conversation