#14319 closed defect (fixed)
CVE-2017-5617: svgSalamander SSRF (Server-Side Request Forgery)
| Reported by: | sebastic | Owned by: | team |
|---|---|---|---|
| Priority: | major | Milestone: | 17.02 |
| Component: | Core | Version: | |
| Keywords: | svgsalamander cve ssrf | Cc: | sebastic |
Description (last modified by )
svgSalamaner is vulnerable to a Server-Side Request Forgery issue discovered by Luc Lynx,
initially reported on the oss-security list (1) and also in the svgSalamander GitHub repository (2):
If the library is being used in a web application for processing user supplied SVG files then the app is vulnerable to SSRF.
The attacker can send a specially crafted svg file, for example
<svg width="5cm" height="4cm" version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink= "http://www.w3.org/1999/xlink"> <image xlink:href="https://host-in-the-trusted-network.com/test.jpg" x="0" y="0" height="50px" width="50px"/> </svg>and the lib will send the request inside the trusted network to the host-in-the-trusted-network.com (bypassing the firewall). In general, the attacker can use any scheme supported by default (such as file://, jar:// etc) or use application specific scheme.
How to fix - any schemes apart from data in the xlink:href attribute should be disallowed by default at
https://github.com/blackears/svgSalamander/blob/master/svg-core/src/main/java/com/kitfox/svg/ImageSVG.java#L120
Additional information:
https://cwe.mitre.org/data/definitions/918.html
http://www.slideshare.net/d0znpp/ssrf-attacks-and-sockets-smorgasbord-of-vulnerabilities
See also: Debian Bug #853134
Attachments (0)
Change History (14)
comment:1 by , 7 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 7 years ago
comment:5 by , 7 years ago
Tomorrow morning if all tests are OK I will probably promote the latest release as new stable version (17.01 hotfix).
comment:6 by , 7 years ago
Thanks for the fixes. I've included your changes in the svgsalamander Debian package.
Due to leaving for FOSDEM tomorrow, I'm unlikely to have time to package the 17.01 hotfix until after FOSDEM.
comment:8 by , 6 years ago
Library author fixed it differently.
When we update svgSalamander we must use SVGUniverse.setImageDataInlineOnly(true)
comment:11 by , 6 years ago
Ah, the upstream fix is not correct! so svgSalamander 1.1.2 is still vulnerable.
comment:14 by , 4 years ago
| Keywords: | svgsalamander cve ssrf added |
|---|
Thanks for the report, I was following this since it popped on Github. Sadly 5 days and stil no answer from library author so I'm going to fix this myself.