[Self-attack vulnerabilities] possibilities/list

[robiso]

The bugs below work only if an admin is logged and is tricked into pasting JavaScript code or uploading SVG's

WonderCMS comes with some security features and some responsibilities.

1. A logged-in user (admin) can execute JavaScript anywhere on their website.

• This has always been a WonderCMS feature.
• I personally don't consider this needs fixing, since a logged-in admin can do much more damage than just XSS attacks (including website defacement, malware distribution, cryptominers, ...)

2. A logged in user can upload a SVG (containing code other than an image, such as JavaScript).

• SVG's are generally not just images, they can also include code such as JavaScript, XML, these are awesome features of SVG's.
• Sanitizing SVG's would partially kill their functionality.
• If there are enough wishes for this action, the SVG uploading functionality can be completely removed from WonderCMS.
• If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?

3. Host header attack.

• This will not be considered a vulnerability until we see a live exploit of this (not local).
• Using the Burp Suite Tool to create/show a local attack is not enough, since there needs to be a way to exploit a WonderCMS installation (and not just locally attack one-self).

How to prevent self-attack vulnerabilities

• Avoid pasting random JavaScript code.
• Avoid uploading random SVG's.
  - Install themes and plugins only from wondercms.com

---

The list above is subject to change. All discussions are welcome.
Reporting the above issues/bugs/vulnerabilities will not include you in the WonderCMS reward system.

[robiso]

I'm trying to think of a reason to counter myself and ask should we remove SVG uploading functionality and why?

• even if we remove SVG uploading, users can still INLINE SVG's with HTML, which is a good thing
• this way we can prevent users being "tricked" into uploading malicious SVG's onto their site, since they can't see the SVG content (if someone tricks them).

Please share your opinion on this topic.
TLDR: Remove SVG uploading or not? (even if we remove it, users can inline SVG's)

• please note we would be still supporting executing JavaScript in any part of WonderCMS as we already do.

[robiso]

Added additional warning for uploading SVG's on the WonderCMS download page.

Here's the safety tips:
5 safety tips to avoid being hacked

• Change the default password and default login URL immediately.
• Install themes and plugins only from this website.
• Regularly update WonderCMS. Always create backups.
• WonderCMS supports running JavaScript anywhere. Be careful not to paste random/malicious JavaScript code.
• WonderCMS supports uploading SVG's which could also contain JavaScript code. Don't get tricked into uploading malicious SVG's. If in doubt, avoid uploading any SVG file extension.

[NicolasCARPi]

Change the default password and default login URL immediately.

Better: generate a random password from start so in the (likely) event that the user doesn't change the password, it's different on all installs.

[robiso]

@NicolasCARPi since WonderCMS doesn't pick up the users email, we would still have to display the password on the users home page.

This would however prevent any automated attacks with the default password.

[robiso]

Closing this thread, create a seperate wiki page: https://github.com/robiso/wondercms/wiki/%5BSelf-attack-vulnerabilities%5D-possibilities-list