Modify

Opened 10 months ago

Closed 10 months ago

Last modified 10 months ago

#14319 closed defect (fixed)

CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

Reported by: sebastic Owned by: team
Priority: major Milestone: 17.02
Component: Core Version:
Keywords: Cc: sebastic

Description (last modified by Don-vip)

svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

<svg width="5cm" height="4cm" version="1.1"
     xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
        <image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/>
</svg>

and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.

How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120

Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities

See also: Debian Bug #853134

Attachments (0)

Change History (7)

comment:1 Changed 10 months ago by Don-vip

Description: modified (diff)

comment:2 Changed 10 months ago by Don-vip

Thanks for the report, I was following this since it popped on Github. Sadly 5 days and stil no answer from library author so I'm going to fix this myself.

comment:3 Changed 10 months ago by Don-vip

In 11525/josm:

see #14319 - update to latest version of svgSalamander (2017-01-07, patched)

comment:4 Changed 10 months ago by Don-vip

Resolution: fixed
Status: newclosed

In 11526/josm:

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

comment:5 Changed 10 months ago by Don-vip

Tomorrow morning if all tests are OK I will probably promote the latest release as new stable version (17.01 hotfix).

comment:6 Changed 10 months ago by anonymous

Thanks for the fixes. I've included your changes in the svgsalamander Debian package.

Due to leaving for FOSDEM tomorrow, I'm unlikely to have time to package the 17.01 hotfix until after FOSDEM.

comment:7 Changed 10 months ago by Don-vip

Done: r11526 is the new hotfix

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.