CVE-2024-11404: Medium Severity File Upload Vulnerabilities in django-filer 3.2.3

Security Update: Issue Fixed

The fix for this vulnerability has been committed here:

https://github.com/django-cms/django-filer/commit/8f7f96f58a84f224c294a3fdca997cad243d1dd9

Vendor Advisory:

https://www.django-cms.org/en/blog/2024/11/19/security-updates-for-django-filer-and-django-cms-attributes-field/

django Filer introduced file upload validation in version 3. By default, binary or unidentified files could be uploaded and downloaded by a different person and executed by hand on a local machine. To avoid the risk of malware distributed this way, django Filer 3.3 now by default rejects binary files or unknown file types. You can allow them or run them through a virus checker by adjusting your project settings. 

We recommend all users of django Filer and django CMS Attributes Field to update to the new versions.

CVE-ID: CVE-2024-11404

CVSS Score:

CVSS v3.1 Base Score: 5.5 - Medium

• CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Affected Versions:

• django-filer 3.2.3 

Impacted CWE Categories:

• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-20: Improper Input Validation
• CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

Vulnerability Summary:

The vulnerabilities were identified in django-filer 3.2.3, a file management application commonly used with django CMS. These issues allow attackers to bypass upload restrictions for HTML and SVG files, potentially uploading malicious files containing scripts that execute on the client side. The following vulnerabilities were observed:

1. HTML File Upload Bypass: File extensions like .html are intended to be blocked but can be uploaded by appending a space (%20) to the filename.
2. SVG File Upload Validation Bypass: The validate_svg function, designed to detect XSS payloads, can be bypassed by appending a space to the filename, allowing the upload of malicious SVG files.

Technical Details:

1. HTML File Upload Bypass

Affected Component:

The issue exists within the media upload functionality at /admin/filer/folder/ in the application.

Issue:

File extensions such as .html are blocked during the upload process. However, by adding a space at the end of the file name (e.g., iltosec.html%20), the system allows the file to be uploaded without triggering the restriction.

Reproduction Steps:

1. Attempt to upload an .html file, such as iltosec.html. The system will return an error message:
   {"error": "['File \"iltosec.html\": HTML upload denied by site security policy']"}
2. 
3. Modify the upload request by appending a space to the filename:
   iltosec.html%20
4. Upload the file again. The file will be uploaded successfully and can be accessed at:
   http://127.0.0.1:8000/media/filer_public/.../iltosec.html

2. SVG File Upload Validation Bypass

• Affected Component:
  The vulnerability is located in the SVG file validation function (validate_svg), specifically in how the application validates potential XSS payloads in uploaded SVG files.

• Issue:
  The validate_svg function checks for certain XSS triggers in the content of the file. However, appending a space to the filename allows the malicious SVG file to bypass the check and be uploaded.

• Reproduction Steps:

  1. Upload an SVG file containing an XSS payload, e.g., bypassxssthread1.svg. The file will be rejected with the error:
     {"error": "['File \"bypassxssthread1.svg\": Rejected due to potential cross site scripting vulnerability']"}
  2. Modify the upload request by adding a space to the filename (bypassxssthread1.svg%20).
  3. The file is successfully uploaded, bypassing the XSS validation.

Proof of Concept:

1. HTML File Upload Bypass

The issue arises when the system fails to properly handle filenames with appended spaces. This can lead to the upload of malicious HTML files that may contain JavaScript, potentially resulting in Cross-Site Scripting (XSS) or arbitrary code execution.

Steps to Reproduce:

1. Open the admin interface for file uploads at /en/admin/filer/folder/.
2. Try to upload a file with the extension .html, such as iltosec.html. The error message will indicate that HTML uploads are denied.
3. Modify the upload request by appending a space (%20) to the file name, e.g., iltosec.html%20.

1. Upload the file with the modified filename. The file will upload successfully.

1. Access the uploaded file via the URL: http://127.0.0.1:8000/media/filer_public/.../iltosec.html.

2. SVG File Upload Validation Bypass

Steps to Reproduce:

1. Open the admin interface for SVG file uploads.
2. Attempt to upload an SVG file containing an XSS payload (e.g., bypassxssthread1.svg).
3. The file will be rejected, showing the error:
   {"error": "['File \"bypassxssthread1.svg\": Rejected due to potential cross site scripting vulnerability']"}.

1. Modify the filename by appending a space (%20), resulting in bypassxssthread1.svg%20.

1. Upload the modified file. The file will successfully bypass the validation and be uploaded.
2. The malicious SVG file can now be executed to carry out potential XSS attacks.

Impact

Both vulnerabilities pose significant security risks:

1. Vulnerability 1 (Media File Upload Bypass):
   Allows the upload of HTML files that can contain malicious scripts, which may lead to Cross-Site Scripting (XSS) attacks or the execution of arbitrary code when viewed by users.

2. Vulnerability 2 (SVG File Upload Bypass):
   Allows attackers to upload SVG files with embedded XSS payloads, potentially compromising user sessions, stealing cookies, or performing unauthorized actions on behalf of the user.

Both vulnerabilities can weaken the overall trust and security of the web application.

Remediation:

• Vulnerability 1 (Media File Upload Bypass):

  • Implement strict server-side validation that checks the file's content, not just the extension.
  • Ensure file names are sanitized and reject names with appended spaces or special characters.

• Vulnerability 2 (SVG File Upload Bypass):

  • Strengthen the validate_svg function to handle edge cases, such as filenames with appended spaces.
  • Implement more comprehensive content inspection to prevent the upload of malicious scripts.

Timeline: