search

moxiecode / plupload

Plupload is JavaScript API for building file uploaders. It supports multiple file selection, file filtering, chunked upload, client side image downsizing and when necessary can fallback to alternative runtimes, like Flash and Silverlight.
http://www.plupload.com
GNU Affero General Public License v3.0
5.63k stars 1.43k forks source link

Passive XSS in plupload #1109

Open AleksSem opened 10 years ago

AleksSem commented 10 years ago

Steps to reproduce:

  1. rename picture.png to <img\ src\=\"x.gif\"\ onerror\=\"alert(document.cookie)\"\ >DSC01265.jpg
  2. using standard method, try to upload file.
  3. You will get alert with cookies.
jayarjo commented 10 years ago

It is probably about one of the widgets..?

AleksSem commented 10 years ago

I managed reproduce this bug in all examples http://www.plupload.com/examples

Use Linux OS, Windows doesn't allow to create files with such names. Just rename file as in example and try to upload.

jayarjo commented 10 years ago

I mean it's implementation bug, not - Pluploads. But - yes, pretty alarming anyway. Thanks for bringing this up.

greggles commented 8 years ago

@jayarjo does Plupload plan to fix the widgets distributed with the package?

waoufi commented 6 years ago

Hello, Sorry to bring this up, @jayarjo you said it's implementation bug, can you explain more ?

Actually, I'm using Plupload in a website I'm willing to secure, but I see this breach hasn't been fixed yet. What should I do ? Keep Plupload if you think it will be fixed soon (?) or should I change Plupload for some other library 'cause there's no wish to fix this XSS ?

(No offence meant, just trying to figure out what to do for the website)

Thanks !

alexandreLavenant commented 6 years ago

Hi i've got the same problem and it's pretty important. I tried to do add a filter but it does not seems to be enough.

Exemple:

plupload.addFileFilter('checkFilename', function(defaultReturn, file, cb) {
    var filename = $('<div>').html(file.name).text();

    if (filename !== file.name) {
        this.trigger('Error',
        {
            code : plupload.SECURITY_ERROR,
            message : 'Security Invalid',
            file : file
        });
        cb(false);
        return;
    }

    cb(true);
});

@jayarjo Will you fix the widget anytime soon ?

Thanks.

jayarjo commented 6 years ago

Adding a filter is a way to go. In your case it doesn't work 'cause you are not testing for invalid characters in the filename.

frankschuessler commented 1 year ago

Hello, it is 2023 now and this issue is still open...? I can't reproduce this issue in PL 2.3.9 here https://www.plupload.com/examples.

Maybe anyone can review and close this?

Thank u.