Possible XSS attack using SVG image embedded Javascript
Issue date: 23-03-2018Affects versions: 12.1, 12.0, 11.2, 10.2
Issue ID: SECURITY-41
Affected Product Version(s)
This vulnerability applies to CMS 10.2.8, CMS 11.2.4, CMS 12.0.3 and CMS 12.1.0 and earlier versions.
Severity
low
Description
SVG images have a potential vulnerability by having embedded Javascript. It could lead to execution of the javascript with admin privileges.
This vulnerability is only exploitable by an authenticated CMS user who can upload images. As such the severity for this vulnerability is low.
Instructions
For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.9, CMS 11.2.5, CMS 12.0.4 or CMS 12.1.1.
The applied fix CMS-11037 (and backports thereof), prevents upload of svg images containing javascript instructions.
While this vulnerability unlikely has been exploited, the fix will only prevent future misuse, e.g. will be applied when a new SVG image is uploaded.
To make sure existing content is free from this vulnerability, customers are strongly recommended to have an administrator run the check/report script below with the Updater Editor, after upgrading to the latest maintenance release!
SvgImageChecker script
The following reporting-only Groovy script can be executed by an administrator in the CMS Updater Editor after the maintenance upgrade (the script depends on some of the fixes and improvements) using the following settings:
Name: SvgImageChecker Select node using: Updater Batch Size: 1000
Script content:
package org.hippoecm.frontend.plugins.cms.admin.updater
import org.apache.commons.io.IOUtils
import org.apache.commons.lang.StringUtils
import org.onehippo.repository.update.BaseNodeUpdateVisitor
import javax.jcr.Node
import javax.jcr.NodeIterator
import javax.jcr.RepositoryException
import javax.jcr.Session
import javax.jcr.query.Query
import javax.jcr.query.QueryManager
class SvgImageChecker extends BaseNodeUpdateVisitor {
private NodeIterator nodeIterator;
Node firstNode(final Session session) throws RepositoryException {
final QueryManager queryManager = session.getWorkspace().getQueryManager();
final Query jcrQuery = queryManager.createQuery("//element(*, hippogallery:image)[jcr:mimeType = 'image/svg+xml']", "xpath");
nodeIterator = jcrQuery.execute().getNodes();
return nextNode();
}
Node nextNode() throws RepositoryException {
return nodeIterator.hasNext() ? nodeIterator.next() : null;
}
boolean doUpdate(Node node) throws RepositoryException {
def dataProperty = node.getProperty("jcr:data")
def inputStream = dataProperty.getBinary().getStream()
def svgContent = IOUtils.toString(inputStream, "UTF-8")
if (StringUtils.containsIgnoreCase(svgContent, "<script")) {
log.info("Found svg image containing <script> instruction: " + node.getPath());
}
IOUtils.closeQuietly(inputStream)
return false;
}
boolean logSkippedNodePaths() {
return false;
}
boolean skipCheckoutNodes() {
return true
}
boolean undoUpdate(Node node) {
throw new UnsupportedOperationException();
}
}
After executing the above script, which might take some time depending on the number of SVG images in the repository, it will report all hippogallery:image nodes which SVG image may contain this vulnerability.
Enabling upload of SVG image with embedded script
In order to enable upload of SVG images with embedded javascript, boolean property svg.scripts.enabled should be added to the following nodes:
/hippo:namespaces/hippogallerypicker/imagelink/editor:templates/_default_/root
/hippo:configuration/hippo:workflows/gallery/image-gallery/frontend:renderer