Suspected XSS vulnerability in image upload

mkerala2

Network license
Beta tester
An ethical hacker contacted me saying there is an XSS vulnerability on my site and shared a video of uploading a fake image file which triggered a prompt.

He said this type of code injection attack is carried out by an attacker by entering HTML code or other client script code into a site. This attack will be considered as if it came from the site. As a result of this attack, the attacker can bypass security on the client-side, get sensitive information, or save dangerous applications.

I am not sure to what extent this is true but still like to report this given that some XSS bugs were fixed in the recent release.

▶🚶‍Reproduction steps
  1. In notepad add following code
    "><img src=x onerror=prompt(1);>
  2. Save it under name "><img src=x onerror=prompt(1);>.jpg (Windows OS don't support this filename. Use android to rename)
  3. Upload to the file to chevereto
😢Unexpected result

A prompt will appear. Screenshot attached.

📃Error log message
Some files couldn't be added
 

Attachments

lumiworx

Network license
License owner
This might not be of any direct help with Chevereto, but I usually add some directives into any site I set up to deal with Cross-Site scripting issues as a very basic security precaution. I have this in place on 2 instances of Chevereto sites, and it hasn't seemed to have had a negative affect.

I insert it at the bottom of the site's .htaccess file ...

Code:
<IfModule mod_headers.c>
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; env=HTTPS
</IfModule>
<IfModule mod_headers.c>
    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff
</IfModule>
If you don't have/use SSL, you could modify or drop the first block for Strict Transport: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 

Rodolfo

Chevereto Developer
Chevereto Staff
I confirm the bug, the issue is that the uploader handles raw the file name provided by the browser. It will be addressed in the next revision.
 
Top