Modify

Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#14319 closed defect (fixed)

CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

Reported by: sebastic Owned by: team
Priority: major Milestone: 17.02
Component: Core Version:
Keywords: Cc: sebastic

Description (last modified by Don-vip)

svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

<svg width="5cm" height="4cm" version="1.1"
     xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
        <image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/>
</svg>

and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.

How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120

Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities

See also: Debian Bug #853134

Attachments (0)

Change History (7)

comment:1 Changed 3 months ago by Don-vip

Description: modified (diff)

comment:2 Changed 3 months ago by Don-vip

Thanks for the report, I was following this since it popped on Github. Sadly 5 days and stil no answer from library author so I'm going to fix this myself.

comment:3 Changed 3 months ago by Don-vip

In 11525/josm:

see #14319 - update to latest version of svgSalamander (2017-01-07, patched)

comment:4 Changed 3 months ago by Don-vip

Resolution: fixed
Status: newclosed

In 11526/josm:

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

comment:5 Changed 3 months ago by Don-vip

Tomorrow morning if all tests are OK I will probably promote the latest release as new stable version (17.01 hotfix).

comment:6 Changed 3 months ago by anonymous

Thanks for the fixes. I've included your changes in the svgsalamander Debian package.

Due to leaving for FOSDEM tomorrow, I'm unlikely to have time to package the 17.01 hotfix until after FOSDEM.

comment:7 Changed 3 months ago by Don-vip

Done: r11526 is the new hotfix

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.