CVE-2024-12326 - Bypassing SVG Preview Restrictions in Jirafeau via Mixed-Case MIME Types
Date Published: 2024-06-20
Overview
Jirafeau is a popular open-source lightweight file sharing web application. By design, it prevents the preview of SVG files in browsers—a critical security measure—because SVGs can carry script payloads to launch cross-site scripting (XSS) attacks. The restriction works by checking if a file’s MIME type is image/svg+xml and, if so, disables in-browser preview.
However, just like a classic movie twist, this protection could be fooled if the MIME type had mixed uppercase and lowercase letters, such as image/svg+XML or IMAGE/SVG+XML. That’s the crux of CVE-2024-12326: Restrictions only looked for lowercase image/svg+xml and would allow a preview otherwise.
Let’s dig into exactly how this bypass works, show a proof-of-concept, and talk about how it was fixed.
SVG files: They’re images in XML format, but XML can contain scripts and other code.
- Browser Preview: If a user uploads and then previews a malicious SVG, that could execute attacker-controlled scripts in the user’s browser. Preventing SVG preview is a security best practice.
Jirafeau implemented this in code: When a file is uploaded, it stores the MIME type—if it’s exactly image/svg+xml, it blocks the browser preview.
Previous Vulnerability
CVE-2022-30110
A similar issue was found before where SVGs could lead to XSS. The fix: Don’t allow preview if the MIME type equals image/svg+xml. Sounds good, until someone realized…
How the Bypass Works
HTTP, MIME, and HTML standards treat MIME types as case-insensitive. So, IMAGE/SVG+XML and image/svg+xml must be considered equal (see RFC 7231, section 3.1.1.1).
Jirafeau’s code only checked for lowercase. Uploaders could send a mixed- or uppercase variant, and Jirafeau would accept it as a new MIME type—allowing preview (and, therefore, possible XSS).
Create a file called exploit.svg
<svg xmlns="http://www.w3.org/200/svg">;
<script type="text/javascript">
alert('XSS Exploit!');
</script>
</svg>
Step 2: Upload with Mixed-Case MIME
Use curl or Burp Suite to make a POST request directly modifying the MIME type:
curl -X POST -F "file=@exploit.svg;type=IMAGE/SVG+XML" https://jirafeau.example.com/upload.php
Or intercept with Burp and change the Content-Type accordingly.
Step 3: Trigger Preview
Go to the share link and click Preview. Because Jirafeau didn’t recognize IMAGE/SVG+XML as a banned type (was looking for image/svg+xml exactly!), it allows the in-browser preview, which will pop the XSS alert.
Impact: Full browser-based XSS for anyone previewing the file.
- Difficulty: Low—no authentication, no special permissions needed (depends on instance config).
Here's a simplified version of what was in Jirafeau before the patch
// Old code: case-sensitive comparison
if ($mime_type == 'image/svg+xml') {
$can_preview = false;
}
Correct fix: Make the comparison case-insensitive using PHP’s strcasecmp()
// Patched code: case-insensitive check
if (strcasecmp($mime_type, 'image/svg+xml') == ) {
$can_preview = false;
}
or, using more modern syntax
if (strtolower($mime_type) == 'image/svg+xml') {
$can_preview = false;
}
Mitigation & Fix
The fix was simple but crucial: Check MIME type case-insensitively.
- Upgrade: All users should ensure they’re using the latest version of Jirafeau.
- Patch reference: jirafeau/jirafeau#pr-XYZ (Replace XYZ with actual PR number when available)
Admins: You can add a web server rule to block SVG previews at the HTTP level, as additional defense.
References
- CVE-2024-12326 at NVD
- CVE-2022-30110 at NVD
- Jirafeau Security Releases
- RFC 7231: Hypertext Transfer Protocol Message Syntax and Routing
- SVG & Browser XSS
In Summary
CVE-2024-12326 reminds us that filters need to follow standards: MIME types are case-insensitive! Even simple mistakes can lead to full XSS exploits. Always keep software up to date, review your uploads and previews logic, and remember—the attacker will try the corner cases you forgot!
Timeline
Published on: 12/06/2024 21:15:05 UTC