Javascript Injection possible

[dommar04]

The image.php is vulnerable to Cross-Site Scripting
Example:
..../extensions/jit_image_manipulation/lib/image.php?param=%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E

[michael-e]

It is considered good practice to send vulnerability reports to team@getsymphony.com directly. (So these issues can be solved before being published.) But I admit, it is not documented anywhere.

Can you tell which version of JIT you are using? Version 2, maybe? (With JIT 1.43 the response I get is Image /workspace/ could not be found.)

[DavidOliver]

Script injection working for me in JIT 1.44, if dynamic URLs are allowed. On initial load, Image /workspace/' is shown as body content and the browser alert is shown. After clicking the button in the browser alert, the Image /workspace/ could not be found. body content is loaded.

Should this issue be deleted while a fix is created? I don't have any more recent installations of JIT to test at the moment.

[dommar04]

Im using JIT 1.44.

You can delete the ticket if you like

[michael-e]

I am afraid that I can not delete an issue. Maybe it's not possible at all. @nitriques will know.

[nitriques]

I am afraid that I can not delete an issue.

Yes we could. But that's too late.

@michael-e I've been dying to add a block direct php access in the .htaccess for quite sometimes. That's the 3rd time it would have prevented XSS...

It's not reproducible with 2.x.x because of the renderer. But yeah I can confirm that it's working under 1.44.

I think I need to fix it....

[nitriques]

A fix is available as version 1.46, see https://github.com/symphonycms/jit_image_manipulation/releases/tag/1.46.

[nitriques]

@dommar04 Can you

1. Confirm that 1.46 solves the issue.
2. Confirm that version 2.0.0 is un-affected. (i.e. /image/1/100/0/<script>alert%28%27XSS%27%29</script>)

Thanks for reporting. As @michael-e said, please write to team@getsymphony.com

@michael-e I've documented it https://github.com/symphonycms/symphony-2/wiki/Security-Bug-Disclosure

[michael-e]

Great!

[dommar04]

Yes it works in 1.46 and does not occour in 2.0.0