Security Issues…?
-
Hi. I just read on a forum that SVGs have issues — security issues. That an attacker could exploit.
What I’m wondering: if that attacker has to be the one to *upload* the file with malicious code to a server………or if security risks associated with SVGs are possible when a site is being attacked from the outside (and not from an uploading user of the site itself).
And when I say “from the outside” I mean that a hacker could exploit a weakness inside an SVG that is displayed on a WordPress site.
If it’s the latter…then…do I need to worry about this plugin being insecure?
Is this plugin a possible security risk with SVGs?
There are other plugins I’m stumbling across that claim to make your site safer with their use, but it appears they are concerned with limiting uploads by users that could be malicious.
That’s not my concern.
I’m concerned only with my own site having SVGs on it that could be used as an entry by a hacker stumbling across my site from the outside…and trying to hack it that way. I am *not* concerned with internal users abusing/neglecting security protocols. I’m just concerned with hackers trying to get at my site from the outside.
So….is this plugin somehow, in any way whatsoever…allowing for inherently (if they are all inherently) insecure SVGs to be displayed on sites without any security measures? If all SVGs are security risks — naturally, without being intentionally corrupted by people who put malicious code in them before uploading them — then what can be done to make sure SVGs are not a security risk to display on any site?
And if that is the case……..what does your plugin do to offset any security risks?
Please note: if SVGs are not inherent security risks — again, just by themselves, without being corrupted by an uploader — please let me know that too.
Thanks!
-
The security issues could lie within the SVG itself. SVG is actually XML code. So a standard image SVG that you have created will not pose any risks whatsoever. The issue is malicious code being added to the SVG file so that it looks like an image but has “behind the scenes” XML code built into it.
There is no issue with outside attackers provided you trust the SVG file.
So it is perfectly safe to use a pre-screened/vetted SVG file.
I would dare say there is some SVG files floating around the internet with malicious code in them, so blindly downloading them and then uploading to your site could be a disaster. It if you open it in a code editor and look at the code, you can see what it contains. You could also run them through a sanitization library to help avoid nasty code.
Making your own SVG files is the best and safest bet.
My plugin has an option to restrict upload to admin role only, which in most cases is ok as you trust them not to place malicious code in any way. It doesn’t avoid lack of security checks on the SVG before uploading though, if an admin is lazy or uninformed, they may upload a compromised file.
In saying that, I personally have not come across any malicious SVG files and I have downloaded a lot over the years. But to not check would be risky nonetheless.
I have been considering writing in some sanitization features. might be a future feature.
I hope this answers your questions.
Learn more here:
https://bjornjohansen.no/svg-in-wordpress
- The topic ‘Security Issues…?’ is closed to new replies.
