Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1091: Better checking of the file type when determining which files are SVGs by dkotter · Pull Request #28 · 10up/safe-svg

The sanitisation step of the Safe SVG WordPress plugin before 1.9.10 can be bypassed by spoofing the content-type in the POST request to upload a file. Exploiting this vulnerability, an attacker will be able to perform the kinds of attacks that this plugin should prevent (mainly XSS, but depending on further use of uploaded SVG files potentially other XML attacks).

CVE
#xss#vulnerability#ios#git

Description of the Change

We currently have a function that is hooked into the wp_handle_upload_prefilter filter. In there we check if the file type is image/svg+xml and if so, we sanitize the file. If that sanitization process fails, we don’t allow the file to be uploaded to WordPress.

There’s a potential issue here though because the file type we rely on comes from the Content-Type of the original form-data request. Typically this will be automatically set to whatever the real file type is but in theory, someone could spoof this request and set Content-Type to be anything, like image/png. In this case, they could send an actual SVG in the form-data but set the Content-Type to be image/png, which would then bypass our sanitization process (but would still be uploaded to WordPress).

This PR fixes this by utilizing the core WordPress function wp_check_filetype_and_ext to get the file type, instead of relying on the value that comes from the request. This should still work in all legitimate cases and if someone were to try sending a proper SVG but they change the Content-Type in the request, it will also catch that.

I tested the following scenarios:

  • Valid SVG uploaded without a custom Content-Type set. Our sanitization kicks in
  • Valid SVG uploaded with a custom Content-Type set (set to image/png). Our sanitization kicks in
  • Valid PNG uploaded without a custom Content-Type set. No sanitization needed from us
  • SVG file with a .png extension uploaded without a custom Content-Type set. File rejected
  • SVG file with a .png extension uploaded with a custom Content-Type set. File rejected
  • SVG file with no extension uploaded without a custom Content-Type set. File rejected
  • SVG file with no extension uploaded with a custom Content-Type set. File rejected

Alternate Designs

None

Possible Drawbacks

Slight impact on performance but should be minimal

Verification Process

Ensure that you can still properly upload SVGs in WordPress.

If desired, can also manually make a curl request to send an SVG with a manipulated Content-Type field, to verify that captures things correctly. I can provide an example curl command if needed.

Checklist:

  • I have read the CONTRIBUTING document.
  • My code follows the code style of this project.
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my change.
  • All new and existing tests passed.

Changelog Entry

Fixed - add better file type checking when looking for SVG files

Related news

CVE-2022-24841: Build software better, together

fleetdm/fleet is an open source device management, built on osquery. All versions of fleet making use of the teams feature are affected by this authorization bypass issue. Fleet instances without teams, or with teams but without restricted team accounts are not affected. In affected versions a team admin can erroneously add themselves as admin, maintainer or observer on other teams. Users are advised to upgrade to version 4.13. There are no known workarounds for this issue.

CVE-2022-24859: Build software better, together

PyPDF2 is an open source python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files. In versions prior to 1.27.5 an attacker who uses this vulnerability can craft a PDF which leads to an infinite loop if the PyPDF2 if the code attempts to get the content stream. The reason is that the last while-loop in `ContentStream._readInlineImage` only terminates when it finds the `EI` token, but never actually checks if the stream has already ended. This issue has been resolved in version `1.27.5`. Users unable to upgrade should validate and PDFs prior to iterating over their content stream.

CVE-2022-27652: Build software better, together

A flaw was found in cri-o, where containers were incorrectly started with non-empty default permissions. A vulnerability was found in Moby (Docker Engine) where containers started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907