Scalar/Astro Arbitrary File Upload Vulnerability Allowing Code Execution via SVG Files

An arbitrary file upload vulnerability has been identified in Scalar/Astro version 0.1.13. The issue arises in the Scalar Proxy endpoint, where the 'scalar_url' query parameter allows attackers to upload crafted SVG files. This vulnerability enables the execution of arbitrary code by exploiting the fact that SVG files can contain embedded JavaScript. When the malicious SVG is fetched and served to the victim's browser, the embedded script is executed in the context of 'proxy.scalar.com'.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting (XSS) and open redirect issues. The XSS component is particularly severe, as it involves executing JavaScript in the context of 'proxy.scalar.com', where an attacker could steal cookies, redirect victims to phishing pages, or perform actions in the victim's browser under the 'proxy.scalar.com' origin.

Reproduction

To reproduce this vulnerability, upload an SVG file containing a JavaScript payload, such as an alert or a script to steal cookies, to an attacker-controlled server. Then, craft a URL that points to this SVG file and include it in the 'scalar_url' parameter of a request to the Scalar Proxy endpoint. When the victim visits this URL, the proxy will fetch the SVG file, execute the embedded JavaScript in the victim's browser, and the specified action (like displaying an alert or stealing cookies) will occur.