XSS (via SVG file upload) in Monstra-dev

Question

XSS (via SVG file upload) in Monstra-dev

security-breachlock opened this issue 6 years ago · 1 comments

security-breachlock commented 6 years ago

Affected software: Monstra-dev

Type of vulnerability: XSS (via SVG file upload)

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for a SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.

Proof of concept:

Step1: Login to the monstra-dev cms.
Step2: In the content section, choose files and upload a malicious SVG file.
URL: http://localhost/monstra-dev/monstra-dev/admin/index.php?id=filesmanager&path=uploads/

Step3: Now open that file which was saved as 1.svg the below output will be shown.

VulnerableURL: http://localhost/monstra-dev/monstra-dev/public/uploads/1.svg

Answer 1 · 2018-09-03T05:42:19.000Z

Hi Team,

Any updates regarding the patch.