[CVE-2021-39268] Stored XSS via SVG on SuiteCRM 7.11.18

After discovering the Bypass Content-Type Filter vulnerability on SuiteCRM 7.11.18, I discovered that SuiteCRM allowed uploading SVG files and performs filtering at clean_file_output function. However, this function only prevents redirecting to another domain by SVG file, it is unable to prevent client-side attacks.

I found an approach to perform a Client side attack after uploading an SVG file to the SuiteCRM.

The $upload_badext variable does not define SVG extension and there is no protection method against viewing SVG files. By inserting malicious JavaScript code within the SVG file, malicious user then uploads it to SuiteCRM. When successful, it make the user’s browser execute an arbitrary script once user viewing our malicious SVG file.

This is my Proof Of Concept:

  1. Lines 2320-2331 at utils.php, function clean_file_output only prevents redirecting to another domain if the content-type is image/svg+xml

2. Easily make the malicious SVG file

3. Upload the File we made

4. View this SVG file by using Preview feature on Download module

Advertisement
Privacy Settings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s