Confirmed Suspected XSS vulnerability in image upload

Version
3.14.0
Website URL
https://gifyu.com
PHP version
7.2.24
Database driver
MySQL
Database version
8.0.18
Web browser
Chrome Version 79

mkerala2

Network license
Beta tester
An ethical hacker contacted me saying there is an XSS vulnerability on my site and shared a video of uploading a fake image file which triggered a prompt.

He said this type of code injection attack is carried out by an attacker by entering HTML code or other client script code into a site. This attack will be considered as if it came from the site. As a result of this attack, the attacker can bypass security on the client-side, get sensitive information, or save dangerous applications.

I am not sure to what extent this is true but still like to report this given that some XSS bugs were fixed in the recent release.

▶🚶‍Reproduction steps
  1. In notepad add following code
    "><img src=x onerror=prompt(1);>
  2. Save it under name "><img src=x onerror=prompt(1);>.jpg (Windows OS don't support this filename. Use android to rename)
  3. Upload to the file to chevereto
😢Unexpected result

A prompt will appear. Screenshot attached.

📃Error log message
Some files couldn't be added
 

Attachments

lumiworx

Network license
License owner
This might not be of any direct help with Chevereto, but I usually add some directives into any site I set up to deal with Cross-Site scripting issues as a very basic security precaution. I have this in place on 2 instances of Chevereto sites, and it hasn't seemed to have had a negative affect.

I insert it at the bottom of the site's .htaccess file ...

Code:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; env=HTTPS
</IfModule>
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>
If you don't have/use SSL, you could modify or drop the first block for Strict Transport: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 

Rodolfo

Chevereto Developer
Chevereto Staff
I confirm the bug, the issue is that the uploader handles raw the file name provided by the browser. It will be addressed in the next revision.
 
Top