FileStack Upload Advisory

FILESTACK UPLOAD ADVISORY SUMMARY

The following document describes identified vulnerabilities in the FileStack Upload application.

Product Vendor

FileStack

Product Description

FileStack is a simple file uploader and powerful APIs to upload, transform & deliver any file into your app. The project’s official website is www.filestack.com. The affected version was tested on January 31, 2022.

Vulnerabilities List

One vulnerability was identified within the FileStack application:

• Cross-site Scripting (XSS)

This vulnerability is described in the following sections.

Affected Version

2022

Summary of Findings

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability
that allows an attacker to upload SVG files with JavaScript code inside them.

Impact

This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context and in any domain that loads the image as SVG.

Solution

• Display FileStack SVG images using <img> tags only.
• Include a strong CSP if loading the image as SVG.
• Use sandboxing if an <iframe> tag is used.
• Strip JavaScript code from the SVG before loading.

VULNERABILITIES

FileStack Version 2022

Cross-site Scripting (XSS)

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability that allows an attacker to upload SVG files with JavaScript code inside them. This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context and in any domain that loads the image as SVG.

Vulnerability Details

Vulnerability Type: Cross-site Scripting (XSS)

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☐ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☐ High, ☐ Medium, ☒ Low

Vulnerability: CWE-79

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability that allows an attacker to upload SVG files with JavaScript code inside them. This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context.

To demonstrate this issue, an SVG image was crafted to include JavaScript, as shown below:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

FIGURE 1 - JavaScript payload within SVG image

The image was then uploaded to FileStack and the resulting URL was visited in a browser to execute the JavaScript payload: https://cdn.filestackcontent.com/DgR2ShASQvWDwOQbVxOt

Upon detonation of the JavaScript payload, an alert box was displayed:

FIGURE 2 - JavaScript alert box

As shown above, the malicious JavaScript executed successfully. Although the payload was unable to escalate privileges within the https://cdn.filesstackcontent.... domain, future changes to the application may introduce new vulnerabilities that could allow for escalation outside of the current domain.

CREDITS

• Carlos Yanez, Security Consultant III, Bishop Fox ([email protected])

TIMELINE

• 01/28/2022: Initial discovery
• 01/31/2022: Contact with vendor
• 03/10/2022: Vendor did not respond on security channel. Forwarded to support team
• 03/14/2022: Support reports SVG uploads is intended functionality, no comment on vulnerability
• 03/14/2022: Clarification on vulnerability acknowledgement is requested by BishopFox
• 04/11/2022: Second clarification on vulnerability acknowledgement is requested by BishopFox
• 05/06/2022: Support restates SVG upload is intended functionality, no comment on vulnerability
• 06/232022: Vulnerability publicly disclosed