Page 1 of 1

[SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability

Posted: Thu Feb 08, 2018 9:20 am
by Tanmay9511
Hi Team,

I have found stored cross-site scripting on WonderCMS 2.4.0 application.

Vulnerability exists on File Upload functionality.

Re: [SVG ONLY FEATURE/BUG] Stored Cross-Site Scripting Vulnerability

Posted: Fri Feb 09, 2018 6:33 pm
by wiz
Please check the following link for this discussion. https://github.com/robiso/wondercms/issues/57

In short, SVG's allow JavaScript inside them, which is basically nothing new. We have two options:
1. Disable SVG's.
2. Don't do anything (since admins are the only ones who can upload anything). Additionally, we have decided some time ago that an admin executing JavaScript at any part of the CMS is ok. This is still open to discussion if necessary.

If we already allow JavaScript to be executed at any part of the CMS, would removing the SVG functionality make any difference?