ZOO-Project Web Processing Service EchoProcess Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the ZOO-Project Web Processing Service (WPS) Server, specifically within the EchoProcess service, in versions prior to the commit 7a5ae1a. This vulnerability arises because the EchoProcess service improperly sanitizes user input when processing complex data, such as XML, JSON, and SVG, allowing malicious JavaScript to be executed in the context of the victim's browser. The issue is particularly concerning as it involves a service designed to reflect user input, creating a reliable vector for XSS attacks, especially when SVG content is handled and returned with the image/svg+xml MIME type.

Impact

Exploitation of this vulnerability allows for arbitrary execution of JavaScript in the context of the victim's browser, potentially leading to session hijacking, data theft, or other client-side attacks.

Reproduction

To reproduce this vulnerability, send a POST request to the EchoProcess endpoint with an SVG payload that includes JavaScript, such as an SVG image with an onload attribute executing a JavaScript alert. The server will respond with the unfiltered SVG, and when a user visits the URL with the reflected SVG, the JavaScript will execute in their browser.

Remediation

Users are advised to update to the version containing the patch (commit 7a5ae1a) and to implement proper input validation and sanitization for user-supplied content, especially XML and SVG that may contain JavaScript. Additionally, setting a Content Security Policy (CSP) to restrict inline script execution and control loaded content can help mitigate the risk.