Join Us For A Special Livestream From DEF CON 30. Watch Live Friday, August 12 | 10AM - 5PM ›

FileStack Upload Advisory

Security Vulnerability Gauge showing a low severity reading

Share

FILESTACK UPLOAD ADVISORY SUMMARY

The following document describes identified vulnerabilities in the FileStack Upload application.

Product Vendor

FileStack

Product Description

FileStack is a simple file uploader and powerful APIs to upload, transform & deliver any file into your app. The project’s official website is www.filestack.com. The affected version was tested on January 31, 2022.

Vulnerabilities List

One vulnerability was identified within the FileStack application:

  • Cross-site Scripting (XSS)

This vulnerability is described in the following sections.

Affected Version

2022

Summary of Findings

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability
that allows an attacker to upload SVG files with JavaScript code inside them.

Impact

This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context and in any domain that loads the image as SVG.

Solution

  • Display FileStack SVG images using <img> tags only.
  • Include a strong CSP if loading the image as SVG.
  • Use sandboxing if an <iframe> tag is used.
  • Strip JavaScript code from the SVG before loading.

VULNERABILITIES

FileStack Version 2022

Cross-site Scripting (XSS)

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability that allows an attacker to upload SVG files with JavaScript code inside them. This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context and in any domain that loads the image as SVG.

Vulnerability Details

Vulnerability Type: Cross-site Scripting (XSS)

Access Vector: ☒ Remote, ☐ Local, ☐ Physical, ☐ Context dependent, ☐ Other (if other, please specify)

Impact: ☐ Code execution, ☐ Denial of service, ☒ Escalation of privileges, ☒ Information disclosure, ☐ Other (if other, please specify)

Security Risk: ☐ Critical, ☐ High, ☐ Medium, ☒ Low

Vulnerability: CWE-79

The FileStack Upload application is affected by a cross-site scripting (XSS) vulnerability that allows an attacker to upload SVG files with JavaScript code inside them. This enables JavaScript to be executed in the cdn.filestackcontent.com subdomain context.

To demonstrate this issue, an SVG image was crafted to include JavaScript, as shown below:

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>

FIGURE 1 - JavaScript payload within SVG image

The image was then uploaded to FileStack and the resulting URL was visited in a browser to execute the JavaScript payload: https://cdn.filestackcontent.com/DgR2ShASQvWDwOQbVxOt

Upon detonation of the JavaScript payload, an alert box was displayed:

JavaScript alert box showing malicious JavaScript executed successfully.

FIGURE 2 - JavaScript alert box

As shown above, the malicious JavaScript executed successfully. Although the payload was unable to escalate privileges within the https://cdn.filesstackcontent.... domain, future changes to the application may introduce new vulnerabilities that could allow for escalation outside of the current domain.

CREDITS

TIMELINE

  • 01/28/2022: Initial discovery
  • 01/31/2022: Contact with vendor
  • 03/10/2022: Vendor did not respond on security channel. Forwarded to support team
  • 03/14/2022: Support reports SVG uploads is intended functionality, no comment on vulnerability
  • 03/14/2022: Clarification on vulnerability acknowledgement is requested by BishopFox
  • 04/11/2022: Second clarification on vulnerability acknowledgement is requested by BishopFox
  • 05/06/2022: Support restates SVG upload is intended functionality, no comment on vulnerability
  • 06/232022: Vulnerability publicly disclosed

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Headshot BF Carlos Yanez

About the author, Carlos Yanez

Carlos Yanez is a Security Consultant III at Bishop Fox. His focus areas include web application assessments, cloud penetration tests, as well as mobile devices penetration tests. Prior to joining Bishop Fox, he worked on multiple e-commerce platforms as a Penetration Tester and spent years as a Web Developer and Systems Administrator. When AFK, he enjoys spending time with family and friends as well as learning new things and playing guitar.

More by Carlos

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.