[SVG feature - public discussion] SVG XSS on file upload

[Tanmay-N]

Hi Team,

I have found stored Cross-Site scripting on WonderCMS 2.4.0

In Index.php there is a function "uploadFileAction()"

It does not sanitize svg file and it is possible to execute a Cross-Site Scripting XSS attacks.

Already sent email to info@wondercms.com, and work with all modern browser. hope you can fix it asap.

When you fix the bug, please, can you include my name in the release notes when the bug will be corrected? Tanmay gtanmaynashte@gmail.com

[robiso]

Hello @Tanmay9511.

This seems to be a feature in the way how SVG works.
As you probably know, SVG is not only an image but also a sort of an app, which also supports JavaScript amongst other things.

DISCUSSION - we have 2 options || Please share your opinion!

1. Remove SVG functionality altogether.
2. Add a notice to administrators - "WonderCMS supports SVG by default, which brings responsibility for administrators." In this second case, we keep the functionality as it it and warn about the "power" this responsibility brings.

There is a third option - is to sanitize SVG's and cripple the SVG functionality.

This does not seems like an urgent fix, since it takes multiple conditions for this vulnerability to take place.

1. The attacker must be logged in as administrator.
2. The attacker (whilst logged in as admin), must upload the SVG with the correct CSRF token.
   Additional note: JavaScript isn't the only thing SVG executes, it's in their "nature".

[robiso]

Here's a take at how WordPess solves it - they don't allow SVG's to be uploaded (although there's a plugin that allows them to be uploaded).

This seems like a sensible choice from WordPress, since they have multiple users.

However, WonderCMS has only one user, which would mean the admin is the only point of entry for an attack. If the user is already an admin, they can do so much more damage than a SVG XSS attack.

Kindly asking for additional opinion on this matter.

[PiersMorgan]

In my opinion no changes are needed here. If you are logged in as admin by that point you can basically destroy the CMS internally, why would you want to XSS if you are 1. Logged in as essentially the root user of the website in question. 2. All the XSS vulns people are finding all require an admin to be logged in. That sort of defeats the object of XSS as the whole point would be to find vulnerabilities where you can XSS WITHOUT being logged in.

[robiso]

+1 @PiersMorgan.

Created a public list of "bugs we won't be fixing" (and aren't really bugs):
#57

Link to the above list is also added to the official WonderCMS website:

• https://www.wondercms.com/contact

[robiso]

Closing this issue.

Feel free to continue this discussion here: #57