New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Several XSS vulnerabilities #694

Closed
ghost opened this Issue Dec 5, 2016 · 2 comments

Comments

Projects
None yet
1 participant
@ghost

ghost commented Dec 5, 2016

There are several XSS vulnerabilities in the current codebase due to inadequate user input validation and output sanitisation. The PHP spaghetti code doesn't help, but since the codebase is not supported, it's unlikely a request to use a contextually aware template engine is worth making. :)

Reflected XSS affecting 36 PHP scripts including footer.php
PoC: /login.php?footerScripts[]=<script>console.log(%27xss%27);</script>
Some pages require an authenticated session.
Source: footer.php

26 <?php
27 if (isset($_REQUEST["footerScripts"])) {
28     foreach ($_REQUEST["footerScripts"] as $script) {
29         print $script . "\n";
30     }
31 }
32 ?>

Reflected XSS affecting logout.php
PoC: /logout.php?message=<script>console.log(%27xss%27);</script>
Requires an authenticated session.
Source: logout.php

37 if (isset($_REQUEST['message'])) {
38     $redirectTime = 5000;
39     displayError("An error has occurred and you have been logged out:\n" . $_REQUEST['message']);
@ryanbrainard

This comment has been minimized.

Show comment
Hide comment
@ryanbrainard

ryanbrainard Dec 5, 2016

Collaborator

Good catch on the first one. Just patched it. On the second one, it it escaped inside displayError.

PHP spaghetti code

Yes, it sucks. Sorry, I wrote most of this before I knew what I was doing.

Collaborator

ryanbrainard commented Dec 5, 2016

Good catch on the first one. Just patched it. On the second one, it it escaped inside displayError.

PHP spaghetti code

Yes, it sucks. Sorry, I wrote most of this before I knew what I was doing.

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Dec 7, 2016

Thanks for the fast response!

ghost commented Dec 7, 2016

Thanks for the fast response!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment