Actions

J1.5

Difference between revisions of "Possible IE XSS Attack"

From Joomla! Documentation

m (Wilsonge moved page Possible IE XSS Attack to J1.5:Possible IE XSS Attack without leaving a redirect)
 
(3 intermediate revisions by 2 users not shown)
Line 8: Line 8:
 
* [http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=7227 Joomla! 1.5 Bug Tracker #7227: file upload vulnerability in joomla com_media component]
 
* [http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=7227 Joomla! 1.5 Bug Tracker #7227: file upload vulnerability in joomla com_media component]
 
* [http://kestas.kuliukas.com/JavaScriptImage/ Running an XSS attack from an image]
 
* [http://kestas.kuliukas.com/JavaScriptImage/ Running an XSS attack from an image]
 +
 +
[[Category:Archived version Joomla! 1.5]]

Latest revision as of 19:20, 1 September 2013

Replacement filing cabinet.png
This Namespace has been archived - Please Do Not Edit or Create Pages in this namespace. Pages contain information for a Joomla! version which is no longer supported. It exists only as a historical reference, will not be improved and its content may be incomplete.

It is a check run to ensure that an image uploaded doesn't flip IE6 into one of its weird quirks where it will take a perfectly valid looking image and treat it as a web page. This can cause potential for an XSS attack where in an uploaded file can be run on the server. It appears that this has been fixed in IE7 or greater.

There are a few checks that the Joomla Media Manager does to try and ensure that what is being uploaded is sane. If it is an image we attempt to check it has valid dimensions, for other file types it attempts to validate that the mime type is correct using fileinfo or mime magic though if you're an administrator or higher (super admin) these checks can be bypassed - though the XSS can't be bypassed and is run even if all other checks pass.

Typically if you have a look at the EXIF data of the image there will be something resembling HTML that could trip IE up. It errs on the safe side and prevents it. Stripping the HTML from the image metadata should fix the problem.

Further Reading