CVE-2024-12326 - Jirafeau Vulnerability: Case-Insensitive MIME Type Check for SVG File Uploads

CVE-2024-12326 is a vulnerability discovered in the Jirafeau file transfer service, which can enable users to bypass built-in security measures designed to prevent unauthorized browser previews of uploaded SVG files. This vulnerability can lead to potential cross-site scripting (XSS) attacks. In this post, we will discuss the issue, how it can be exploited, and the changes made to address this vulnerability by making the check case-insensitive.

Background

Jirafeau is a popular file sharing service widely used for its simplicity and ease of use. It is designed to prevent browser previews of SVG files uploaded to the platform, as manipulated SVG files can potentially be exploited for cross-site scripting (XSS) attacks, as originally reported in CVE-2022-30110.

Original references

CVE-2022-30110: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30110
Jirafeau GitHub Repository: https://github.com/jirafeau/Jirafeau

Exploit Details

Despite Jirafeau's intended security feature to prevent browser preview for MIME type image/svg+xml, it was discovered that the check performed on MIME type during file upload was case-sensitive, allowing attackers to bypass the security check by altering the case of the MIME type submitted, for example: image/svg+XML.

The following code snippet represents a potential weak point in Jirafeau's MIME type checking logic

function isSvgMimeType($mime_type) {
    return $mime_type === 'image/svg+xml';
}

By changing any letter's case in the MIME type, an attacker can bypass the prevention of a browser preview:

<input type="file" accept="image/svg+XML">

This allows the manipulated SVG files to potentially be exploited for XSS through browser previews, making the web application vulnerable.

Fix Details

The fix for this issue involves changing the check for MIME type image/svg+xml to be case-insensitive. In PHP, this can be done by using the strcasecmp() function, which compares two strings case-insensitively. The updated check would look like this:

function isSvgMimeType($mime_type) {
    return strcasecmp($mime_type, 'image/svg+xml') === ;
}

By making this change, the vulnerability is effectively addressed, preventing attackers from bypassing the intended restrictions on SVG file previews and safeguarding the platform against potential XSS attacks.

Conclusion

CVE-2024-12326 highlights the importance of rigorously verifying user input in web applications, even when it comes to seemingly benign tasks such as previewing image files. Ensuring security measures are not vulnerable to simple bypasses, such as changing the case of a string, can significantly improve the overall security of a web application. The fix for this vulnerability demonstrates that sometimes simple changes, such as making a string comparison case-insensitive, can protect against potential exploits.

Timeline

Published on: 12/06/2024 21:15:05 UTC