Modify

Opened 2 years ago

Closed 2 years ago

Last modified 4 months ago

#14319 closed defect (fixed)

CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

Reported by: sebastic Owned by: team
Priority: major Milestone: 17.02
Component: Core Version:
Keywords: Cc: sebastic

Description (last modified by Don-vip)

svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

<svg width="5cm" height="4cm" version="1.1"
     xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
        <image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/>
</svg>

and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.

How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120

Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities

See also: Debian Bug #853134

Attachments (0)

Change History (13)

comment:1 Changed 2 years ago by Don-vip

Description: modified (diff)

comment:2 Changed 2 years ago by Don-vip

Thanks for the report, I was following this since it popped on Github. Sadly 5 days and stil no answer from library author so I'm going to fix this myself.

comment:3 Changed 2 years ago by Don-vip

In 11525/josm:

see #14319 - update to latest version of svgSalamander (2017-01-07, patched)

comment:4 Changed 2 years ago by Don-vip

Resolution: fixed
Status: newclosed

In 11526/josm:

fix #14319 - CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)

comment:5 Changed 2 years ago by Don-vip

Tomorrow morning if all tests are OK I will probably promote the latest release as new stable version (17.01 hotfix).

comment:6 Changed 2 years ago by anonymous

Thanks for the fixes. I've included your changes in the svgsalamander Debian package.

Due to leaving for FOSDEM tomorrow, I'm unlikely to have time to package the 17.01 hotfix until after FOSDEM.

comment:7 Changed 2 years ago by Don-vip

Done: r11526 is the new hotfix

comment:8 Changed 7 months ago by Don-vip

Library author fixed it differently.

When we update svgSalamander we must use SVGUniverse.setImageDataInlineOnly(true)

comment:9 Changed 4 months ago by Don-vip

In 14328/josm:

see #14319, see #16838 - update to svgSalamander 1.1.2

comment:10 Changed 4 months ago by Don-vip

In 14331/josm:

see #14319, see #16838 - fix regressions introduced in svgSalamander 1.1.2

see https://github.com/blackears/svgSalamander/issues/29

comment:11 Changed 4 months ago by Don-vip

Ah, the upstream fix is not correct! so svgSalamander 1.1.2 is still vulnerable.

comment:12 Changed 4 months ago by Don-vip

In 14334/josm:

see #14319, see #16838 - svgSalamander fix for CVE-2017-5617 was incomplete

See https://github.com/blackears/svgSalamander/issues/11

comment:13 Changed 4 months ago by Don-vip

In 14361/josm:

see #14319, see #16838 - fix another NPE / regression from svgSalamander 1.1.2 (causing unit test failure in DXF plugin)

see https://github.com/blackears/svgSalamander/pull/34

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.