Cross Site Scripting through image EXIF
Cross Site Scripting (XSS) seems to be the most common vulnerability today with every other site having run into it at least once. In a nutshell, whenever a website displays unsanitized user-driven data (supplied directly or indirectly), it makes itself susceptible to XSS.
Image EXIF information is no exception. Though the EXIF is usually written by the digital camera, it could be edited using any of the tools available freely. It is possible to modify any tag including the Camera Make and Model and supply javascript snippets instead of them.
Here’s a sample image with javascript alerts written into its EXIF. (Upload the pic to jpeginfo.com to see the javascript at work. The site doesn’t persist the image and hence is safe.) Most of the big names in photosharing already sanitizes the EXIF tags before displaying them, but there are a lot of smaller websites which are prone to this kind of XSS.
Looks like jpginfo does not exist any more
One can use http://camerasummary.com/ instead
Hi. Is this XSS still working in the latest browsers? I tried this back in 2011 and it worked in FF and Chrome. Have browsers implemented some kind of fix for this in the recent years? I can’t find anything about this online.
thanks,
Alex
There isn’t much browsers can do against XSS. This should still be applicable for most of the new browsers.
But your infected sample image (http://img259.imageshack.us/img259/163/scriptw.jpg) is no longer a threat. The alert is no longer being fired on any modern browser on any OS. It looks like Firefox with their 3.6 release has enhanced the EXIF parser and other browsers followed the case. There’s no working vector for EXIF data at the moment. Am I wrong?