Jirafeau Cross-Site Scripting Vulnerability via Manipulated MIME Types

A cross-site scripting vulnerability has been identified in Jirafeau versions 4.5.0 prior to 4.6.1. The issue arises because Jirafeau allows browser previews for certain file types, including SVG, which can be exploited to execute JavaScript. Although Jirafeau typically blocks previews for SVG files by enforcing strict MIME type checks, this protection can be bypassed. Attackers can upload files with manipulated MIME types that trick the server into allowing previews. When the preview is accessed, the browser's MIME type detection can inadvertently execute embedded JavaScript. This vulnerability takes advantage of improper input handling during file uploads, particularly with SVG files, which are known to pose scripting risks.

Impact

Exploitation of this vulnerability allows for cross-site scripting attacks, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file with a manipulated MIME type that bypasses Jirafeau's checks for SVG files. This can be done by changing the case of the 'image/svg+xml' MIME type or by including additional types that could be interpreted as valid, such as 'text/html'. Once the file is uploaded, access the preview URL, which will trigger the execution of any injected JavaScript.

Remediation

Users can update to Jirafeau versions 4.6.1 or later, where this vulnerability has been addressed.