40 lines
No EOL
1.4 KiB
Text
40 lines
No EOL
1.4 KiB
Text
Title: eyeOS <= 1.9.0.2 Stored XSS vulnerability using image files
|
|
Product: eyeOS <= 1.9.0.2
|
|
Author: Alberto Ortega @a0rtega alberto[at]pentbox[dot]net
|
|
http://securitybydefault.com/
|
|
|
|
- Summary:
|
|
|
|
A stored XSS vulnerability using image files (jpg, png, gif tested) affects to eyeOS 1.9.0.2 version, older versions are probably affected too. eyeOS 2.x branch doesn't seem to be affected.
|
|
|
|
- Attack vector:
|
|
|
|
eyeOS is a virtual desktop where you can store files (besides other amazing stuff). The filetype is determined by the extension (in example .txt or .jpg).
|
|
|
|
When the user opens an image file in eyeOS, a new html frame is opened with the image file.
|
|
|
|
It's ok, the problem is that we can upload files that aren't images with an image extension, and it will be opened in a frame too. That means that we can upload a HTML file (with JS inside, why not?) and it will be opened in a new frame when an user click on it.
|
|
|
|
Stored XSS is done.
|
|
|
|
- PoC file:
|
|
|
|
$ file xss.jpg
|
|
xss.jpg: HTML document text
|
|
$ cat xss.jpg
|
|
<!doctype html>
|
|
<script>alert("XSS done");</script>
|
|
|
|
- Risks and consequences:
|
|
|
|
Malicious users can inject code inside image files (malware, browser exploits, etc...) to attack other users and compromise the whole system via shared files or internal messages.
|
|
|
|
- Mitigations:
|
|
|
|
Disallow public dirs.
|
|
|
|
Avoid work with images.
|
|
|
|
- Solution:
|
|
|
|
Verify on the server side that the file extension matchs with the filetype before store it in the system. |