Skip to content
This repository was archived by the owner on Dec 19, 2023. It is now read-only.

Removed XML file extension from defaultExtensions #3

Open
0xcrypto wants to merge 1 commit into418sec:developfrom
0xcrypto:develop
Open

Removed XML file extension from defaultExtensions #3
0xcrypto wants to merge 1 commit into418sec:developfrom
0xcrypto:develop

Conversation

@0xcrypto
Copy link
Copy Markdown

@0xcrypto 0xcrypto commented Apr 3, 2021

XML file extensions should not be allowed to upload as they can be used for rendering malicious code ie. cross site scripting.

📊 Metadata *

Please enter the direct URL for this bounty on huntr.dev. This is compulsory and will help us process your bounty submission quicker.

Bounty URL:https://huntr.dev/bounties/1-packagist-october/rain/

⚙️ Description *

Cross Site Scripting is a vulnerabilitiy in a web application which allows an attacker to run malicious JavaScript code on the device of a victim. This fix removes the XML file uploads as XML is rendered by the browser which can allow an attacker to perform a Stored Cross Site Scripting.

💻 Technical Description *

October CMS uses this library to handle file uploads. But the XML files are allowed to be uploaded which can be used to upload XSS payloads utilizing XML namespaces.

🐛 Proof of Concept (PoC) *

Using any user account with the file upload privileges, visit /backend/backend/media in October CMS and upload the following XML file:

<script xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg">
alert('xss');
</script>

Now you have the XML file uploaded to storage. Visit its URL by using Click Here link on the Media page and you the alert box pops up.

🔥 Proof of Fix (PoF) *

Since XML files are not allowed to be uploaded, the XSS via XML files is n longer possible.

👍 User Acceptance Testing (UAT)

Generic fix. I think it should not break any functionallity.

@0xcrypto
Removed XML file extension from defaultExtensions
237716e 
XML file extensions should not be allowed to upload
@huntr-helper
Copy link
Copy Markdown

huntr-helper commented Apr 3, 2021

👋 Hello, @daftspunk. @0xcrypto has opened a PR to us with a fix for a potential vulnerability in your repository. To view the vulnerability, please refer to the bounty URL in the first comment, above. If you want this fix in your repository, a PR will automatically open once you comment:

@huntr-helper - LGTM

☎️ Need further support?

Come and join us on our community Discord!

@daftspunk - want more fixes like this?

Copy this snippet into your README.md for more vulnerability fixes in the future:

[![huntr](https://cdn.huntr.dev/huntr_security_badge_mono.svg)](https://huntr.dev)

huntr

@0xcrypto 0xcrypto mentioned this pull request Apr 4, 2021
Closed
@daftspunk
Copy link
Copy Markdown

daftspunk commented Apr 5, 2021

Please do not expose our users to potential zero-day exploits. You must contact us via our security policy. However, this has been fixed in.

octobercms@6bcb7b9
octobercms@2ceaf17

Thanks

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@0xcrypto @huntr-helper @daftspunk