Forum

svg upload - is it a risk

Fred
16 September 2016, 14:02
Hi Hugo,

We are using a wordpress site and one of our theme has svg upload build in...
My understanding is that svg file shouldn't be loaded on a production public facing server as someone could upload an XML Bomb or an SVG with an XXE attack or even a lovely XSS attack...

Could you please tell me if the core feature of Hiawatha will block such attack with defaukt setup?
I am asking you also because I know you have many year of pentest behind you.

Thank you
Hugo Leisink
19 September 2016, 11:10
I have no experience with the Wordpress SVG upload functionality, so I don't know how secure it is. So, I also don't know if Hiawatha's XSS prevention option will help. All I can do is to advice not to use Wordpress. It has a history of bad security and many exploits. If you still want to use it, despite all the warnings, the risk is all yours.
Fred
26 September 2016, 17:07
Hi Hugo,

Thank you for the reply, I really appreciate the input but wordpress is what people want at the moment.. so unless we spend a forture reinventing and new secure cms, I have no choice at the moment.

I am however willing to consider alternative... Could you please sugest and ready to use cms that can be use for e-commerce?

As took the decision to use font-awsome over svg.. as you said, wordpress has enough holes as it stand..

To secure it, we set read only persion to www except /upload and do all update via cli
Hugo Leisink
27 September 2016, 11:03
It requires some programming to adjust it to your needs, but have you seen my CMS [www.banshee-php.org] yet?
Fred
3 October 2016, 09:34
I looked at it last year..i'll take another look:)
This topic has been closed.