.svg files can execute malicious js code
Categories
(Core :: SVG, defect)
Tracking
()
People
(Reporter: pm.mahendra1, Unassigned)
Details
Attachments
(1 file)
420 bytes,
image/svg+xml
|
Details |
User Agent: Mozilla/5.0 (Linux; Android 9; COR-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.105 Mobile Safari/537.36
Firefox for Android
Steps to reproduce:
- I create .svg file with this code
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="40,20 50,50 50,100" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
document.cookie="x=password";
alert(document.cookie);
</script>
</svg>
- I uploaded this file onto my server.
- Then I opened this file into the firefox browser (http://designs.ndev.xyz/img/1.svg)
Actual results:
As you can see by going to this link (http://designs.ndev.xyz/img/1.svg) .svg files can execute js code.
Expected results:
svg files should not execute js code.
If attacker can somehow upload this malicious .svg file into any server attacker can steal cookies, redirect any user to other site or more worst than that
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0
Comment 1•4 years ago
|
||
SVGs are specified as "documents", and scripting is an intentional part of the format (to perform animations, for instance). As you fear it can cause all kinds of security problems for sites, and there are a lot of articles warning people about the dangers of hosting these and trying to help them do it safely. There are even posts with "SVG == XSS!" in the title.
Firefox has to implement SVGs as they are specified for web compatibility, but we have implemented a few things to help sites host these more safely:
- SVGs loaded through an
<img>
tag will not execute any scripts - the
<iframe sandbox>
feature can be used to disable scripts in framed SVG documents - the
Content-Security-Policy: script-src 'none';
header can be served with all hosted SVGs to tell the browser not to run any scripts in it.
Updated•4 years ago
|
Description
•