Contao 5.4.1: Malicious File Upload (XSS in SVG)

Description:

# An Issue is discovered in Contao 5.4.1

# We have identified a vulnerability that allows an authenticated admin account to upload a SVG file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

Affected Component:

http://[ip]/contao?act=move&do=files&mode=2&pid=files%2Fcontaodemo%2Fmedia%2Fcontent-images&id=&rt=deaa7b02c06d6cc4f3c68ec0f5.OX1bkqiOHJbgkGATVkTDE19Y1RBqS0HILO0uzSkPxcs.Zk8M3c77JfnT8lN4JxSSTC4Zj2EeMQ2Qdph4gEI8iKxcTD_bytRb3KHlNQ&ref=14YjsbRN

Payload:

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
   <script type="text/javascript">
      alert('Grim The Ripper Team by SOSECURE Thailand');
   </script>
</svg>

First, log in to the target web application using an admin account.

http://[ip]/contao/login

Next, click on the “Files” panel.

Choose function “files”.

And click on “Upload files” function.

Choose function “Upload files”.

Click icon As in the picture.

Click icon on picture.

After that, click on “Click or drop here to upload” to upload a malicious file.

Upload files to the server.

Select the “GrimtheRipperTeam.svg” file to upload to the web application.

Select to “GrimTheRipperTeam.svg” file.

“GrimtheRipperTeam.svg” file has uploaded and click “Go back”.

“GrimTheRipperTeam.svg” file has uploaded.

Click “GrimtheRipperTeam.svg” Open New Tap.

the location of svg file on web.

Finally, we found that the malicious is working.

The payload was executed on the target.

Author:

Grim The Ripper Team by SOSECURE Thailand.