Snippets Groups Projects

CSV-Import allows arbitrary ﬁle uploads

CLN-009 — CSV-Import allows arbitrary ﬁle uploads

Vulnerability ID: CLN-009

Vulnerability type: File Upload

Threat level: Low

Description:

Arbitrary files can be uploaded through the CSV-Import app.

Technical description:

The CSV-Import app allows users to import site data using a .zip file containing .csv files and corresponding image files for user Avatars and photos. Elsewhere in AlekSIS, photo uploads are subject to file validation filters to prevent users from uploading other file types. However, the CSV-Import app does not perform any validation on attached image files and arbitrary file types can be uploaded. AlekSIS will attempt to render files as images when referenced in user avatars or photos via img src= or as the background of a CSS element. An HTML file containing malicious Javascript can be uploaded in this way, but this file will only be loaded by a user (as in a cross-site scripting attack) if the user searches out the direct link in the page source. In testing we were unable to meaningfully exploit this arbitrary file upload.

Impact:

The CSV-Import mechanism is bypassing the controls on image upload that are employed elsewhere in AlekSIS.
Future features or other untested AlekSIS apps may be exploitable if these uploaded files are linked to or included in ways that enable cross-site scripting attacks.

Recommendation:

CSV-Import should properly validate files included as images and exclude non-image files. See OWASP Arbitry Upload documentation for more information.

Designs

Child items ...

Activity

Jonathan Weth changed milestone to %14c. Process issues found in testing and security audit 3 months ago

changed milestone to %14c. Process issues found in testing and security audit
Jonathan Weth added Security part::backend type::bug labels 3 months ago

added Security part::backend type::bug labels
Jonathan Weth assigned to @yuha 3 months ago

assigned to @yuha
Jonathan Weth changed milestone to /AlekSIS%"[NLnet #6 (closed)] Process issues found in testing and security audit" 3 months ago

changed milestone to /AlekSIS%"[NLnet #6 (closed)] Process issues found in testing and security audit"
Jonathan Weth @hansegucker · 3 months ago

Author Owner

Action to take: Ensure that model validation runs (full_clean, https://docs.djangoproject.com/en/5.1/ref/models/instances/#django.db.models.Model.full_clean), this should also check files
Jonathan Weth assigned to @hansegucker and unassigned @yuha 2 months ago

assigned to @hansegucker and unassigned @yuha
Jonathan Weth made the issue visible to everyone 2 months ago

made the issue visible to everyone
Jonathan Weth created branch 61-csv-import-allows-arbitrary-le-uploads to address this issue 2 months ago

created branch 61-csv-import-allows-arbitrary-le-uploads to address this issue
Jonathan Weth mentioned in merge request !178 (merged) 2 months ago

mentioned in merge request !178 (merged)
Jonathan Weth closed with commit 1f5ec35c 2 months ago

closed with commit 1f5ec35c
Jonathan Weth mentioned in commit 1f5ec35c 2 months ago

mentioned in commit 1f5ec35c

Please register or sign in to reply