漏洞标题
Label Studio 在Avatar上传中存在XSS漏洞
漏洞描述信息
Label Studio是一种流行的开源数据标记工具。在版本1.9.2之前,该软件存在跨站点脚本漏洞(XSS)。如果已验证的用户上传了一个精心设计的图像文件作为他们的头像,则可能会利用该漏洞。执行任意的JavaScript代码可以导致攻击者在Label Studio用户访问这些头像时进行恶意操作。例如,一个攻击者可以创建一个JavaScript有效载荷来添加一个新的Django Super Administrator用户,如果一个Django管理员访问这些头像。
`users/functions.py`文件中第18-49行显示,只进行了对图像文件格式的验证,即通过从文件中提取图像尺寸来判断图像文件是否合法。Label Studio使用Django内置的`serve`视图显示头像图片,但这种方式在生产环境中不安全,根据Django的文档说明。这种问题的原因是,Django `serve`视图通过URL路径中的文件后缀来确定响应的`Content-Type`。因此,攻击者可以上传一个含有恶意HTML代码的图片并将其命名为`.html`扩展名,以便在网站上显示为HTML页面。只进行了客户端验证,这些验证很容易被绕过。
版本1.9.2修复了这个问题。其他的补救措施包括在服务器端验证文件后缀,而不是依靠客户端代码;移除Django内置的`serve`视图并实现一个安全的控制器来查看上传的头像图片;将文件内容保存在数据库中以减轻其他与文件相关的漏洞;以及避免信任用户控制输入。
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Label Studio XSS Vulnerability on Avatar Upload
漏洞描述信息
Label Studio is an a popular open source data labeling tool. Versions prior to 1.9.2 have a cross-site scripting (XSS) vulnerability that could be exploited when an authenticated user uploads a crafted image file for their avatar that gets rendered as a HTML file on the website. Executing arbitrary JavaScript could result in an attacker performing malicious actions on Label Studio users if they visit the crafted avatar image. For an example, an attacker can craft a JavaScript payload that adds a new Django Super Administrator user if a Django administrator visits the image.
The file `users/functions.py` lines 18-49 show that the only verification check is that the file is an image by extracting the dimensions from the file. Label Studio serves avatar images using Django's built-in `serve` view, which is not secure for production use according to Django's documentation. The issue with the Django `serve` view is that it determines the `Content-Type` of the response by the file extension in the URL path. Therefore, an attacker can upload an image that contains malicious HTML code and name the file with a `.html` extension to be rendered as a HTML page. The only file extension validation is performed on the client-side, which can be easily bypassed.
Version 1.9.2 fixes this issue. Other remediation strategies include validating the file extension on the server side, not in client-side code; removing the use of Django's `serve` view and implement a secure controller for viewing uploaded avatar images; saving file content in the database rather than on the filesystem to mitigate against other file related vulnerabilities; and avoiding trusting user controlled inputs.
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
漏洞类别
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
漏洞标题
Label Studio 跨站脚本漏洞
漏洞描述信息
Label Studio是Heartex开源的一个开源数据标注工具。允许您使用简单明了的 UI 标记音频、文本、图像、视频和时间序列等数据类型,并导出为各种模型格式。 Label Studio 1.9.2之前版本存在跨站脚本漏洞,该漏洞源于存在跨站脚本(XSS)漏洞,经过身份验证的攻击者可以执行任意JavaScript。
CVSS信息
N/A
漏洞类别
跨站脚本