Closed Bug 1702006 Opened 4 years ago Closed 4 years ago

.svg files can execute malicious js code

Categories

(Core :: SVG, defect)

Firefox 87
defect

Tracking

()

RESOLVED INVALID

People

(Reporter: pm.mahendra1, Unassigned)

Details

Attachments

(1 file)

Attached image 1.svg

User Agent: Mozilla/5.0 (Linux; Android 9; COR-AL00) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.105 Mobile Safari/537.36
Firefox for Android

Steps to reproduce:

  1. I create .svg file with this code

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="40,20 50,50 50,100" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
document.cookie="x=password";
alert(document.cookie);
</script>
</svg>

  1. I uploaded this file onto my server.
  2. Then I opened this file into the firefox browser (http://designs.ndev.xyz/img/1.svg)

Actual results:

As you can see by going to this link (http://designs.ndev.xyz/img/1.svg) .svg files can execute js code.

Expected results:

svg files should not execute js code.

If attacker can somehow upload this malicious .svg file into any server attacker can steal cookies, redirect any user to other site or more worst than that

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:87.0) Gecko/20100101 Firefox/87.0

SVGs are specified as "documents", and scripting is an intentional part of the format (to perform animations, for instance). As you fear it can cause all kinds of security problems for sites, and there are a lot of articles warning people about the dangers of hosting these and trying to help them do it safely. There are even posts with "SVG == XSS!" in the title.

Firefox has to implement SVGs as they are specified for web compatibility, but we have implemented a few things to help sites host these more safely:

  1. SVGs loaded through an <img> tag will not execute any scripts
  2. the <iframe sandbox> feature can be used to disable scripts in framed SVG documents
  3. the Content-Security-Policy: script-src 'none'; header can be served with all hosted SVGs to tell the browser not to run any scripts in it.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
Component: Untriaged → SVG
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: