cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSS Vulnerability using Context parameter when retrieving images

Former Member

on ‎11-12-2015 4:30 PM

0 Kudos

We are going through a security assessment and one of the items identified is that the context parameter is vulnerability to a Cross-Site Scripting (XXS) when retrieving images within Hybris.

Their example is the following: http://image.png?context=

My question is can this xss attack be exploited via the context parameter. I know that the context parameter is the encoded image path; would the javascript not being successfully decoded to a path (1) not display an image (2)not execute the javascript.

Thoughts?

Show replies
Show replies
former_member387866
Active Contributor
‎11-12-2015 5:54 PM
0 Kudos

Hi Anthony,

Please create a Support Incident with hybris Product Support about this please.

Regards,
Luke

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎11-18-2015 12:06 PM
0 Kudos

Context parameter is used as a pointer to specific media file. This is not XSS per se, if you upload some malicious script as media file (can be even in html format) and later one point to it or navigate to media url then script will run.

Platform is not validating content of uploaded media files. In order to perform this kind of attack attacker needs: 1. Rights to upload malicious script as media 2. Send link to victim, or edit specific page content injecting uploaded media.

In first place media upload should be restricted only to your internal network.

Show replies
Show replies
Ask a Question