View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006005SOGoWeb Mailpublic2024-08-19 23:552024-09-12 07:01
Reporterjulian123 Assigned Toqhivert  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
Platform[Server] LinuxOSUbuntuOS Version16.04 LTS
Product Version5.10.0 
Summary0006005: Upload of SVG file type leads to Stored-XSS
Description

Uploading SVG files with cross-site scripting payloads embedded are executed when opened in another tab.

Steps To Reproduce
  1. Authenticate to the application.
  2. Compose a new email
  3. Upload a .svg file with the following contents: 
    
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg&quot;>
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="0004400"/>
<script>
alert(1)
</script>

</svg>


4. Right-click the upload and open in new tab. 
5. Observe that the file executes and a javascript alert is created.
Tagsattachement

Activities

qhivert

qhivert

2024-08-20 14:19

administrator   ~0017819

Can you try this one with the nightly? I don't reproduce it and the script is shown but not executed.
There was a fix for attahcments between the 5.10 and the 5.11/current nigthly -> https://github.com/Alinto/sogo/commit/2e37e59ed140d4aee0ff2fba579ca5f83f2c5920
julian123

julian123

2024-08-20 14:31

reporter   ~0017821

Sure thing, I'll have to test it after work today. I am using the client through Mailcow so I'll have to update that all, I'll let you know the result of my findings. Thanks!
julian123

julian123

2024-08-20 22:53

reporter   ~0017823

Hi, you're correct, SVG files no longer execute in 5.11, however PDF files with embedded JavaScript do. I'd consider changing them from previewing to downloading automatically if opened in a new tab. I can provide a POC pdf for you if you would like.
qhivert

qhivert

2024-08-21 07:08

administrator   ~0017824

Yes please
julian123

julian123

2024-08-21 09:52

reporter   ~0017826

Attached PoC to this note

payload1.pdf (13,424 bytes)
qhivert

qhivert

2024-09-12 07:01

administrator   ~0017874

Hello, Alinto decides we will not prevent people from previewing pdf file as this is up to your security/antispam to catch them and user's responsability to only open .pdf files from trusted sources.

Issue History

Date Modified Username Field Change
2024-08-19 23:55 julian123 New Issue
2024-08-19 23:55 julian123 Tag Attached: attachement
2024-08-20 14:19 qhivert Note Added: 0017819
2024-08-20 14:19 qhivert Assigned To => qhivert
2024-08-20 14:19 qhivert Status new => feedback
2024-08-20 14:31 julian123 Note Added: 0017821
2024-08-20 14:31 julian123 Status feedback => assigned
2024-08-20 22:53 julian123 Note Added: 0017823
2024-08-21 07:08 qhivert Note Added: 0017824
2024-08-21 07:08 qhivert Status assigned => feedback
2024-08-21 09:52 julian123 Note Added: 0017826
2024-08-21 09:52 julian123 File Added: payload1.pdf
2024-08-21 09:52 julian123 Status feedback => assigned
2024-09-12 07:01 qhivert Note Added: 0017874
2024-09-12 07:01 qhivert Status assigned => closed
2024-09-12 07:01 qhivert Resolution open => won't fix