Lucene search
Ooooooo_qH1:429873HistoryOct 28, 2018 - 6:58 a.m.
Ruby on Rails: XSS by MathML at Active Storage
2018-10-2806:58:51
ooooooo_q
hackerone.com
3
0.001 Low
EPSS
Percentile
35.8%
In Active Storage, formats treated as binary have been confirmed, It does not contain application/mathml+xml.
https://github.com/rails/rails/commit/d40284b1a44773b03d78ca67a888b94fd330d1b1
In Marcel::MimeType.for, if content-type can not be determined with magic byte, since it is determined using the extension, uploading the file with .mml will be judged as application/mathml+xml.
#https://github.com/minad/mimemagic/blob/master/lib/mimemagic/tables.rb#L387
'mml' => 'application/mathml+xml',
I confirmed that MathML XSS is executable in Mac Firefox 63. (https://html5sec.org/#130)
<math xmlns="http://www.w3.org/1998/Math/MathML" href="javascript:alert(location)">click page
</math>
Upload the above contents as math.mml, open the URL directly in Firefox and click in the screen to open an alert.
Impact
It will allow attacks against Firefox users.
Related
cvelist
cvelist
CVE-2018-16477
2018-11-30 19:00:00
osv
osv
Exposure of Sensitive Information to an Unauthorized Actor in activestorage
2018-12-05 17:17:02
CVE-2018-16477
2018-11-30 19:29:00
veracode
veracode
Cross-Site Scripting (XSS)
2018-11-28 02:22:01
ubuntucve
ubuntucve
CVE-2018-16477
2018-11-30 00:00:00
nvd
nvd
CVE-2018-16477
2018-11-30 19:29:00
hackerone
hackerone
openvas
openvas
Fedora Update for rubygem-activestorage FEDORA-2019-307ebe924c
2019-05-07 00:00:00
cve
cve
CVE-2018-16477
2018-11-30 19:29:00
github
github
Exposure of Sensitive Information to an Unauthorized Actor in activestorage
2018-12-05 17:17:02
fedora
fedora
[SECURITY] Fedora 29 Update: rubygem-activestorage-5.2.1-3.fc29
2019-02-26 03:07:15
prion
prion
Design/Logic Flaw
2018-11-30 19:29:00
gitlab
gitlab
Exposure of Sensitive Information to an Unauthorized Actor
2018-11-30 00:00:00
debiancve
debiancve
CVE-2018-16477
2018-11-30 19:29:00
rubygems
rubygems
Bypass vulnerability in Active Storage
2018-11-26 21:00:00