FuguHub Reflected Cross-Site Scripting Vulnerability in SVG File Handling

A reflected cross-site scripting vulnerability has been identified in FuguHub version 8.1. This issue arises when SVG files are served through the '/fs/' file manager interface. FuguHub fails to properly sanitize SVG content, allowing inline script execution. When a user opens a manipulated SVG file containing a script element, the browser executes the embedded JavaScript controlled by the attacker.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to credential or session hijacking, manipulation of the user interface, phishing attacks, forced actions within the application, or an expanded attack surface across users.

Reproduction

To reproduce this vulnerability, upload a crafted SVG file containing an inline script element to the FuguHub file manager. Once the file is uploaded, access it through the file manager interface. The browser will execute the JavaScript embedded in the SVG, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to strip script tags and event attributes from SVG files, disable inline script execution or enforce sandboxing, apply a strong Content-Security-Policy, restrict SVG uploads or convert them to raster formats like PNG, and sanitize or parse SVG files before serving them through the file manager interface.