symphonycms / jit_image_manipulation

Just in Time Image Manipulation for Symphony CMS
http://symphonyextensions.com/extensions/jit_image_manipulation/
Other
25 stars 42 forks source link

Javascript Injection possible #152

Open dommar04 opened 8 years ago

dommar04 commented 8 years ago

The image.php is vulnerable to Cross-Site Scripting Example: ..../extensions/jit_image_manipulation/lib/image.php?param=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E

michael-e commented 8 years ago

It is considered good practice to send vulnerability reports to team@getsymphony.com directly. (So these issues can be solved before being published.) But I admit, it is not documented anywhere.

Can you tell which version of JIT you are using? Version 2, maybe? (With JIT 1.43 the response I get is Image /workspace/ could not be found.)

DavidOliver commented 8 years ago

Script injection working for me in JIT 1.44, if dynamic URLs are allowed. On initial load, Image /workspace/' is shown as body content and the browser alert is shown. After clicking the button in the browser alert, the Image /workspace/ could not be found. body content is loaded.

Should this issue be deleted while a fix is created? I don't have any more recent installations of JIT to test at the moment.

dommar04 commented 8 years ago

Im using JIT 1.44.

You can delete the ticket if you like

michael-e commented 8 years ago

I am afraid that I can not delete an issue. Maybe it's not possible at all. @nitriques will know.

nitriques commented 8 years ago

I am afraid that I can not delete an issue.

Yes we could. But that's too late.

@michael-e I've been dying to add a block direct php access in the .htaccess for quite sometimes. That's the 3rd time it would have prevented XSS...

It's not reproducible with 2.x.x because of the renderer. But yeah I can confirm that it's working under 1.44.

I think I need to fix it....

nitriques commented 8 years ago

A fix is available as version 1.46, see https://github.com/symphonycms/jit_image_manipulation/releases/tag/1.46.

nitriques commented 8 years ago

@dommar04 Can you

  1. Confirm that 1.46 solves the issue.
  2. Confirm that version 2.0.0 is un-affected. (i.e. /image/1/100/0/<script>alert%28%27XSS%27%29</script>)

Thanks for reporting. As @michael-e said, please write to team@getsymphony.com

@michael-e I've documented it https://github.com/symphonycms/symphony-2/wiki/Security-Bug-Disclosure

michael-e commented 8 years ago

Great!

dommar04 commented 8 years ago

Yes it works in 1.46 and does not occour in 2.0.0