Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS vulnerability #133

Closed
enferas opened this issue Nov 11, 2021 · 7 comments
Closed

Possible XSS vulnerability #133

enferas opened this issue Nov 11, 2021 · 7 comments

Comments

@enferas
Copy link

enferas commented Nov 11, 2021

Hello,

I would like to report for XSS vulnerability.

in api/info.php

function getInfoAboutHash

function getInfoAboutHash($hash)
{
    // ...
        
    return array('hash'=>$hash,'size_bytes'=>$size,'size_interpreted'=>$size_hr,'type'=>$type,'type_interpreted'=>getTypeOfFile($file));
}

line 15

$hash = $_REQUEST['hash'];
// ...
    $answer = getInfoAboutHash($hash);
    $answer['status'] = 'ok';
    exit(json_encode($answer));
// ...

exit function will terminate the script and print the message which has $_REQUEST['hash'].
Then there is XSS vulnerability.

@geek-at
Copy link
Member

geek-at commented Nov 11, 2021

Cannot confirm because the script will return {"status":"err","reason":"File not found"} if the hash is invalid see here because of line 17

But I did find another small bug that if you leave the hash variable out, it was telling you the size of the data folder

image

Thanks!

@geek-at geek-at closed this as completed Nov 11, 2021
@enferas
Copy link
Author

enferas commented Dec 2, 2021

Thank you for the confirmation.

CVE-2021-43683 is assigned to this discovery.

pictshare v1.5 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].

@geek-at
Copy link
Member

geek-at commented Dec 2, 2021

Do you have a PoC because I can't reproduce as it will just say "file not found" if an invalid hash is supplied

@enferas
Copy link
Author

enferas commented Dec 9, 2021

Thank you for your response.

Specific values can pass the json_encode.
This example give an alert with me.

<?php
$output = ["A"=>"<img src='#' onerror=alert(1)>","B"=>"Safe"];
echo json_encode($output);

@geek-at
Copy link
Member

geek-at commented Dec 10, 2021

You do realize that the bug was fixed 3 years before you opened the CVE, right? Pictshare 1.5 was released in 2018

@vitalijalbu
Copy link

@geek-at would be better if you add releases on this repo, so people can easily ask questions and open issues.

@geek-at
Copy link
Member

geek-at commented Dec 10, 2021

I'm open to pull requests if you want to automate it on every push. At the moment the "releases" are basically what's on docker hub.

Rolling updates I find more suitable for a project of this scope because it's easier to manage and faster to update with a git pull if you don't want to use the docker image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants