CVE-2019–19206 — Stored XSS due to JavaScript execution in an SVG file

João Zietolie Ciconet
2 min readNov 21, 2019

Summary

In my recent security research in Dolibarr CRM / ERP, I was fortunately able to discover another vulnerability that gave me my second CVE, with an crafted SVG file, I was able to execute arbitrary javascript code in the application, which currently uses a blacklist to avoid XSS injections that just filter input plain text, with this method you can “bypass” this protection.

Description

The technique consists in craft a malicious SVG file, since the application accept any extension file for pictures and do not filter the content, the code below can be saved with the .svg extension file:

<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>
<script type=”text/javascript”>
alert(‘Vulnerable to XSS attacks’);
</script>
</svg>

Pay attention at the script tag between the code that can be easily manipulated with the javascript that you want, in my case I just used the alert function to confirm the vulnerability.

This vulnerability can be exploited by uploading this file, the alert function will be triggered when opening for the preview image or by going to the path where the file is saved, in the case of profile pic: http://IPOFAPPLICATION/dolibarr/viewimage.php?modulepart=userphoto&entity=1&file=2%2Fxsssvg.svg&cache=0

The steps to reproduce are quite simple, just upload the crafted image at your profile pic or where you want since this vulnerability affects all file upload inputs of Dolibarr:

Now just by opening the preview image, the javascript will be executed:

Or like I said, going by the path of the file:

This vulnerability affects 10.0.3 version but earlier versions are also vulnerable.

For more about the exploitation via svg files:

http://ghostlulz.com/xss-svg/

--

--