Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSRF (Server-Side Request Forgery) is possible [CVE-2017-5617] #11

Closed
luc-lynx opened this issue Jan 27, 2017 · 9 comments
Closed

SSRF (Server-Side Request Forgery) is possible [CVE-2017-5617] #11

luc-lynx opened this issue Jan 27, 2017 · 9 comments

Comments

@luc-lynx
Copy link

luc-lynx commented Jan 27, 2017
edited
Loading

If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.

The attacker can send a specially crafted svg file, for example

<svg width="5cm" height="4cm" version="1.1"
     xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink">
	<image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/>
</svg>

and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.

How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120

Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities
@carnil
Copy link

carnil commented Jan 28, 2017

A CVE was requested on oss-security.

@luc-lynx
Copy link
Author

CVE-2017-5617 is assigned for the issue
http://www.openwall.com/lists/oss-security/2017/01/29/2

@don-vip
Copy link
Contributor

don-vip commented Feb 2, 2017

Fixed in JOSM embedded fork: https://josm.openstreetmap.de/changeset/11526/josm

@sebastic
Copy link

sebastic commented Feb 3, 2017

@don-vip, will you also provide a PR with the changes from JOSM?

Otherwise I'll create a PR with your changes for inclusion in this repository.

@don-vip
Copy link
Contributor

don-vip commented Feb 3, 2017

Done: #12

@luc-lynx luc-lynx changed the title SSRF (Server-Side Request Forgery) is possible SSRF (Server-Side Request Forgery) is possible [CVE-2017-5617] Feb 5, 2017
@luc-lynx
Copy link
Author

luc-lynx commented Feb 5, 2017

@don-vip great! thanks!

@blackears
Copy link
Owner

I'm replacing the work done here with a flag that you can set in SVG Universe. The implementation that was done for #12 simply deletes the old functionality.

@don-vip
Copy link
Contributor

don-vip commented Aug 4, 2018

Commit for reference: a0cdd69

@don-vip
Copy link
Contributor

don-vip commented Oct 14, 2018

The fix is incomplete. We added in JOSM a non-regression test to make sure we're never vulnerable, and the test fails now that I updated to 1.1.2 without the patch we added in our fork. I'm going to submit a new PR that fixes the problem for good.

don-vip added a commit to don-vip/svgSalamander that referenced this issue Oct 14, 2018
@don-vip
blackears#11 - svgSalamander fix for CVE-2017-5617 was incomplete
826555b
@don-vip don-vip mentioned this issue Oct 14, 2018
Merged
floscher pushed a commit to floscher/josm that referenced this issue Oct 14, 2018
@don-vip
see #14319, see #16838 - svgSalamander fix for CVE-2017-5617 was inco…
c996ad1 
…mplete

See blackears/svgSalamander#11

git-svn-id: https://josm.openstreetmap.de/svn/trunk@14334 0c6e7542-c601-0410-84e7-c038aed88b3b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@don-vip @carnil @sebastic @blackears @luc-lynx