-
-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop executing SVG #279
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
When I was uploading image attachments from my computer,I've realized
that I can upload SVG files and then I've tried to look SVG file that
I attached,and I understood you execute SVG files which is can be
malicious redirecting to a website or executing javascript codes for
members.
Steps to reproduce
PoC:
1-Go to https://cloudboost.io/files/qubdywxivwed
2-From attachments click on "Upload File"
3-Upload svg files that I gave you (redirect.svg)
4-Now, right click on attached svg and open in new tab (see example in poc.png)
7-You'll be redirected to example.com.
How To Fox:
You should stop executing svg files and display its's code like
HTML,as you know SVG files can be used like HTML codes which is
dangerous.
--
Thank You
Ashish Dhaduk
redirect.svg
The text was updated successfully, but these errors were encountered: