Open dommar04 opened 8 years ago
It is considered good practice to send vulnerability reports to team@getsymphony.com directly. (So these issues can be solved before being published.) But I admit, it is not documented anywhere.
Can you tell which version of JIT you are using? Version 2, maybe? (With JIT 1.43 the response I get is Image /workspace/ could not be found.
)
Script injection working for me in JIT 1.44, if dynamic URLs are allowed. On initial load, Image /workspace/'
is shown as body content and the browser alert is shown. After clicking the button in the browser alert, the Image /workspace/ could not be found.
body content is loaded.
Should this issue be deleted while a fix is created? I don't have any more recent installations of JIT to test at the moment.
Im using JIT 1.44.
You can delete the ticket if you like
I am afraid that I can not delete an issue. Maybe it's not possible at all. @nitriques will know.
I am afraid that I can not delete an issue.
Yes we could. But that's too late.
@michael-e I've been dying to add a block direct php access in the .htaccess for quite sometimes. That's the 3rd time it would have prevented XSS...
It's not reproducible with 2.x.x because of the renderer. But yeah I can confirm that it's working under 1.44.
I think I need to fix it....
A fix is available as version 1.46
, see https://github.com/symphonycms/jit_image_manipulation/releases/tag/1.46.
@dommar04 Can you
/image/1/100/0/<script>alert%28%27XSS%27%29</script>
)Thanks for reporting. As @michael-e said, please write to team@getsymphony.com
@michael-e I've documented it https://github.com/symphonycms/symphony-2/wiki/Security-Bug-Disclosure
Great!
Yes it works in 1.46 and does not occour in 2.0.0
The image.php is vulnerable to Cross-Site Scripting Example: ..../extensions/jit_image_manipulation/lib/image.php?param=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E