243 - GhostCMS, ClamAV, and the Top Web Hacking Techniques of 2023
XSS delivered via profile image upload of an SVG containing the XSS. Fairly common situation where SVG support allows XSS because the SVG’s scripts are not sanitized but also one we have basically never talked about on the podcast.
Within the context of Ghost CMS the Ghost team decided that this issue was not worth fixing. Presumably because even the lowest role of Contributor could get XSS through the actual content they produce. Though they cannot publish that content and scripts do not execute within the content panel, as long as the content they write is published they can get an arbitrary script running on the blog.What makes this XSS a little more interesting though is that it is within the profile image functionality, those profile images won’t only be shown on the blog but will be shown within the content panel also, allowing the XSS to land from within the content/admin panel and target an admin. Under common deployments the panel and the blog will be on the same domain so this doesn’t matter very much as XSS on the main domain can still communicate with the REST API in the panel and use that to leak session information and upgrade a user’s role to gain privileges. If the panel is hosted on an external domain though the fact the XSS lands on the panel itself does create a new privilege escalation vector that wouldn’t be present with a blog-only XSS.
A pretty classic command injection vulnerability but in ClamAV. Often seen (in my experience) running on mail-servers to scan incoming email attachments.
When a virus is detected clamd
will execute a command:
VirusEvent /usr/local/bin/send_sms 123456789 "VIRUS ALERT: %v in %f"
Where %v
is the identified virus name, and %f
is the file name that was detected as a virus. In traditional form, clamd
will replace the two string parameters without any sanitization on the filename at all. So including a ;
within the filename can breakout and start a new shell command. While the issue isn’t very crazy, seeing it in an AV can be a little surprising, but these types of issues do exist even within security products, and dare I say security products often have poor security.