Impact
Users can upload arbitrary content to the Wire servers as assets, which can lead to XSS attacks on app.wire.com.
Notes
This advisory is one part of the fix for this issue. GHSA-382j-mmc8-m5rw closes the concrete attack vector of image assets.
Patches
A patch was introduced in this commit which was released as part of the wire-server version 2.108.0 (release v2021-06-08). In this patch, the content type of assets is set by the server to be application/octet-stream on all asset uploads (files sent in chats as well as profile pictures). The server will thus essentially modify upload requests like this:
POST /assets/v3
Content-Length: 12345
Content-Type: multipart/mixed; boundary=frontier
--frontier
Content-Type: application/json
Content-Length: 16
{"public":false, "retention": "persistent"}
--frontier
< Content-Type: image/jpeg
> Content-Type: application/octet-stream
Content-Length: 1234
Content-MD5: sQqNsWTgdUEFt6mb5y4/5Q==
...
--frontier--As a result, clients downloading assets will see the application/octet-stream MIME type when downloading or showing an asset, even in the case whereby an uploading client modified the request's content type, as the sent content-type is now ignored.
Workarounds
none
Credit
Reported by Kane Gamble.
Impact
Users can upload arbitrary content to the Wire servers as assets, which can lead to XSS attacks on app.wire.com.
Notes
This advisory is one part of the fix for this issue. GHSA-382j-mmc8-m5rw closes the concrete attack vector of image assets.
Patches
A patch was introduced in this commit which was released as part of the wire-server version
2.108.0(release v2021-06-08). In this patch, the content type of assets is set by the server to beapplication/octet-streamon all asset uploads (files sent in chats as well as profile pictures). The server will thus essentially modify upload requests like this:POST /assets/v3 Content-Length: 12345 Content-Type: multipart/mixed; boundary=frontier --frontier Content-Type: application/json Content-Length: 16 {"public":false, "retention": "persistent"} --frontier < Content-Type: image/jpeg > Content-Type: application/octet-stream Content-Length: 1234 Content-MD5: sQqNsWTgdUEFt6mb5y4/5Q== ... --frontier--As a result, clients downloading assets will see the
application/octet-streamMIME type when downloading or showing an asset, even in the case whereby an uploading client modified the request's content type, as the sent content-type is now ignored.Workarounds
none
Credit
Reported by Kane Gamble.