• Welcome to the Chevereto user community!

    Here users from all over the world gather around to learn the latest about Chevereto and contribute with ideas to improve the software.

    Please keep in mind:

  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

Suspected XSS vulnerability in image upload

M

mkerala

👽 Chevereto Freak
An ethical hacker contacted me saying there is an XSS vulnerability on my site and shared a video of uploading a fake image file which triggered a prompt.

He said this type of code injection attack is carried out by an attacker by entering HTML code or other client script code into a site. This attack will be considered as if it came from the site. As a result of this attack, the attacker can bypass security on the client-side, get sensitive information, or save dangerous applications.

I am not sure to what extent this is true but still like to report this given that some XSS bugs were fixed in the recent release.

▶🚶‍Reproduction steps
  1. In notepad add following code
    "><img src=x onerror=prompt(1);>
  2. Save it under name "><img src=x onerror=prompt(1);>.jpg (Windows OS don't support this filename. Use android to rename)
  3. Upload to the file to chevereto
😢Unexpected result

A prompt will appear. Screenshot attached.

📃Error log message
Some files couldn't be added
 

Attachments

  • Screenshot_20200201-125015[1].png
    Screenshot_20200201-125015[1].png
    46 KB · Views: 34
This might not be of any direct help with Chevereto, but I usually add some directives into any site I set up to deal with Cross-Site scripting issues as a very basic security precaution. I have this in place on 2 instances of Chevereto sites, and it hasn't seemed to have had a negative affect.

I insert it at the bottom of the site's .htaccess file ...

Code: 
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; env=HTTPS
</IfModule>
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>

If you don't have/use SSL, you could modify or drop the first block for Strict Transport: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
I confirm the bug, the issue is that the uploader handles raw the file name provided by the browser. It will be addressed in the next revision.
 
You must log in or register to reply here.
Back
Top