plupload
plupload copied to clipboard
moxiecode
Passive XSS in plupload
Steps to reproduce:
- rename picture.png to <img\ src="x.gif"\ onerror="alert(document.cookie)"\ >DSC01265.jpg
- using standard method, try to upload file.
- You will get alert with cookies.
I managed reproduce this bug in all examples http://www.plupload.com/examples
Use Linux OS, Windows doesn't allow to create files with such names. Just rename file as in example and try to upload.
I mean it's implementation bug, not - Pluploads. But - yes, pretty alarming anyway. Thanks for bringing this up.
@jayarjo does Plupload plan to fix the widgets distributed with the package?
Hello, Sorry to bring this up, @jayarjo you said it's implementation bug, can you explain more ?
Actually, I'm using Plupload in a website I'm willing to secure, but I see this breach hasn't been fixed yet. What should I do ? Keep Plupload if you think it will be fixed soon (?) or should I change Plupload for some other library 'cause there's no wish to fix this XSS ?
(No offence meant, just trying to figure out what to do for the website)
Thanks !
Hi i've got the same problem and it's pretty important. I tried to do add a filter but it does not seems to be enough.
Exemple:
plupload.addFileFilter('checkFilename', function(defaultReturn, file, cb) {
var filename = $('<div>').html(file.name).text();
if (filename !== file.name) {
this.trigger('Error',
{
code : plupload.SECURITY_ERROR,
message : 'Security Invalid',
file : file
});
cb(false);
return;
}
cb(true);
});
@jayarjo Will you fix the widget anytime soon ?
Thanks.
Adding a filter is a way to go. In your case it doesn't work 'cause you are not testing for invalid characters in the filename.
Hello, it is 2023 now and this issue is still open...? I can't reproduce this issue in PL 2.3.9 here https://www.plupload.com/examples.
Maybe anyone can review and close this?
Thank u.
