SVG images and Wordpress

Out of context: Reply #5

• Started
• Last post
• 5 Responses

• PonyBoy0

  SVG files are awesome if you want clean crisp sharp scalable vectors (looks amazing on retina)... makes creating responsive graphics a snap (logos look perfect etc).

  The security risk is pretty much non-existent if your site is maintained by you / the client... people you know / trust.

  The time to worry is if you allow people to post / upload to your site (think blog comments that allow images). SVG isn't really the prob, it's the fact that it's wrapped in XML. This means you can create some evil shit if you really wanted to... stuff that could interact w/just about any script on a page(JS to Flash)... stuff that could send your server into conniption-mode (send a script into a RAM-eating loop and your server locks right up etc... look up the “Billion Laughs” attack if you feel nerdy). Then there's fun 'XML External Entity Attacks' that can literally work their way through your complete site right into your root folders... files you didn't even know you had on your server (or that you're not supposed to touch) become vulnerable...

  ...but this is ONLY if you allow people to upload to your site!

  SVG is your friend if your site is just for display.

  SVG files are being used in some nasty Ransomware right now. Hacker twats will send the SVGs with evil XML embedded as a ZIP file to various email accounts at target companies. The company employee opens the email, unzipps the ZIP like an idiot and it's on!

  PonyBoy 0Permalink

  UpvoteDownvote

  Flag

  • thanks for this info!vaxorcist
  • whoah. thank you!bklyndroobeki
  • :)PonyBoy

  Show [[ numHiddenNotes ]] more notesAdd Note

  SaveCancel

View thread