Lucene search

K
hackeroneOoooooo_qH1:429873
HistoryOct 28, 2018 - 6:58 a.m.

Ruby on Rails: XSS by MathML at Active Storage

2018-10-2806:58:51
ooooooo_q
hackerone.com
5

EPSS

0.001

Percentile

35.6%

In Active Storage, formats treated as binary have been confirmed, It does not contain application/mathml+xml.

https://github.com/rails/rails/commit/d40284b1a44773b03d78ca67a888b94fd330d1b1

In Marcel::MimeType.for, if content-type can not be determined with magic byte, since it is determined using the extension, uploading the file with .mml will be judged as application/mathml+xml.

#https://github.com/minad/mimemagic/blob/master/lib/mimemagic/tables.rb#L387
    'mml' => 'application/mathml+xml',

I confirmed that MathML XSS is executable in Mac Firefox 63. (https://html5sec.org/#130)

<math xmlns="http://www.w3.org/1998/Math/MathML" href="javascript:alert(location)">click page
</math>

Upload the above contents as math.mml, open the URL directly in Firefox and click in the screen to open an alert.

Impact

It will allow attacks against Firefox users.