“FrontAccounting ERP is open source, web-based accounting software for small and medium enterprises. It supports double entry accounting providing both low level journal entry and user friendly, document based interface for everyday business activity with automatic GL postings generation.”
I have an opportunity to work with the developer of FrontAccounting to fix a Stored XSS issue due to unrestricted File upload. This was an educational experience to learn about the usability and security tradeoff in Open Source Project when fixing the issue. More details can be found in the bug tracker.
In the attachment function, the user is allowed to attach a file to a particular existing transaction. However, I observed that there is no restriction on the type of files that are allowed to be uploaded.
When I opened up the attachment item, I can see that the malicious SVG file was uploaded.
Now, if another user have opened this attached file, then an alert box will appear.
- The best method is to adopt a Secure by Default approach by restricting the file type to be uploaded. This approach will reduce the attack surfaces. For example, does the application require SVG file to be uploaded? Perhaps the filetype be restricted to PDF, PNG, JPEG, DOCX, etc.
- If SVG is required, sanitize the uploaded SVG file:
- If sanitization is not possible, please follow these approaches:
- Load the SVG from image tags as this will prevent scripts from running.
- Use “content-disposition: attachment” – this force the file to be downloaded.
- Combine (2) and (3) for double protection.