Svg XSS in Unifi v5.0.2

This is another finding in Unifi Controller.

Description:

I have found a persistent xss vulnerability on Unifi Controller that allows attackers steal user’s cookies, do csrf attacks against victim account or do phishing attacks. This vulnerability occurs due the page allows svg attachments that contains “xmlns=http://www.w3.org/1999/xhtml”, then the page will render the content of the xml as html , so resulting on a xss vulnerability.

Many of the websites now allow svg files to be uploaded under images category . But did they filtered the content of svg file before placing it on the server ? The answer is ummm…? . To verify this answer what i did is created a svg file with a XSS vector below and started testing the websites that allow images.

Demo:

http://guptashubham.com/poc.svg

Reproduce:

1). While logged on unifi controller go to https://localhost:8443/manage/site/urrhpg78/maps
2). In image upload the poc.svg
3). After click in “Upload File”.
4). After uploaded the file open image.
5). See the xss alert.

Direct link:

Direct link will be something like

https://localhost:8443/file/s/urrhpg78/map/ID

unifi_controller_5-0-2_beta_svg_xss

I found the same bug in some other Applications you can have a look at Jasminder Pal Singh blog. This bug is also affecting demo.ubnt.com

Fix:

A simple fix for this vulnerability is blocking SVG files upload, in case this isn’t possible a good method is interpret the SVG file, don’t allowing the upload if it contains HTML or invalid tags.

Exploit Scenario:
Like in the http://guptashubham.com/stored-xss-in-unifi-v4-8-12-controller this attack would require valid admin credentials, so a this will be viable just to one admin attack another.

Big Thanks to @93c08539 for the bounty 🙂 and helping me alot.

 

shubhamgupta

 

Leave a Reply

Your email address will not be published. Required fields are marked *