eyeos - Persistent Cross-Site Scripting Using Image Files








Title: eyeOS <= Stored XSS vulnerability using image files
Product: eyeOS <=
Author: Alberto Ortega @a0rtega alberto[at]pentbox[dot]net

- Summary:

A stored XSS vulnerability using image files (jpg, png, gif tested) affects to eyeOS version, older versions are probably affected too. eyeOS 2.x branch doesn't seem to be affected.

- Attack vector:

eyeOS is a virtual desktop where you can store files (besides other amazing stuff). The filetype is determined by the extension (in example .txt or .jpg).

When the user opens an image file in eyeOS, a new html frame is opened with the image file.

It's ok, the problem is that we can upload files that aren't images with an image extension, and it will be opened in a frame too. That means that we can upload a HTML file (with JS inside, why not?) and it will be opened in a new frame when an user click on it.

Stored XSS is done.

- PoC file:

$ file xss.jpg
xss.jpg: HTML document text
$ cat xss.jpg
<!doctype html>
<script>alert("XSS done");</script>

- Risks and consequences:

Malicious users can inject code inside image files (malware, browser exploits, etc...) to attack other users and compromise the whole system via shared files or internal messages.

- Mitigations:

Disallow public dirs.

Avoid work with images.

- Solution:

Verify on the server side that the file extension matchs with the filetype before store it in the system.