Open
Description
Hello,
I would like to report for XSS vulnerability.
//line 98
function uploadchannel()
{
$platform = $_POST['platform'];
$channel = $this->channel->getchanbyplat($platform);
echo json_encode($channel);
}In file
razor/web/application/models/channelmodel.php
Line 421 in 2c991af
//line 421
function getchanbyplat($platform)
{
$userid=$this->common->getUserId();
$sql="select * from ".$this->db->dbprefix('channel')." where active=1 and platform='$platform' and type='system' union
select * from ".$this->db->dbprefix('channel')." where active=1 and platform='$platform' and type='user'and user_id=$userid";
$query = $this->db->query($sql);
if ($query!=null&&$query->num_rows()>0) {
return $query->result_array();
}
return null;
}We can see that the $platform variable is used inside the the sql query without sanitization.
So the attacker can use the UNION command inside the platform to join a harmful input to the results of the query.
For example: $platform = 'something' UNION select '<script>alert(document.cookie)<\script>' AS '.
Thus the XSS will happen at echo json_encode($channel);
I recommend to have a check and delete for the character (') in the platform variable.
Metadata
Assignees
Labels
No labels