[go: up one dir, main page]
Skip to content

Stored-XSS vulnerability in Jirafeau 4.6.2

This is a follow-up to issue #19 (closed).

Reported by Yann CAM (ycam) by mail:

This is similar to CVE-2022-30110 and CVE-2024-12326. This time the check for critical MIME types can be bypassed by adding a comma and text/html, like this image/png,text/html. When doing the preview, the MIME type text/html takes precedence and you can execute for example JavaScript code.

ycam also provided a fix. We have to change line 626 of functions.php from

if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false) {

to

if (in_array($decomposed[0], $viewable) && stripos($mime, 'image/svg+xml') === false && stripos($mime, ',') === false) {

But I think strpos() should also do it, since a comma will never be case-sensitive.

We should include this fix in 4.6.3 and report a CVE. If it is OK for you, I will create a MR on Monday, maybe Sunday, because I'm not at home on the weekend.