Opened 7 years ago
Last modified 4 years ago
#14319 closed defect
CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery) — at Initial Version
Reported by: | sebastic | Owned by: | team |
---|---|---|---|
Priority: | major | Milestone: | 17.02 |
Component: | Core | Version: | |
Keywords: | svgsalamander cve ssrf | Cc: | sebastic |
Description
svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):
If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.
The attacker can send a specially crafted svg file, for example
<svg width="5cm" height="4cm" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink"> <image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/> </svg>and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.
How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120
Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities
See also: Debian Bug #853134