Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix reflected XSS in fileman.php (self discovered, no signs of exploi…
…tation... not that there would be much to exploit, given that there are no cookies or localstorage (i.e. there is no state you could get at))
  • Loading branch information
lgommans committed May 10, 2019
1 parent 31ecf08 commit fa73c3a
Showing 1 changed file with 8 additions and 7 deletions.
15 changes: 8 additions & 7 deletions web/fileman.php
Expand Up @@ -17,18 +17,18 @@
if (empty($_GET['secret'])) {
if ($_SERVER['HTTP_USER_AGENT'] == 'cli' || $_SERVER['HTTP_USER_AGENT'] == 'dro.pm-androidapp') {
list($secret, $key) = allocate();
$retval = "$secret dro.pm/$key";
$retval = htmlspecialchars($secret) . ' dro.pm/' . htmlspecialchars($key);
}
else {
die('Missing required parameter.');
}
}
else {
$secret = $db->escape_string($_GET['secret']);
$key = $db->query('SELECT `key` FROM `shorts` WHERE `secret` = "' . $secret . '"') or die('Database error 3984');
$secret = $_GET['secret'];

$key = $db->query('SELECT `key` FROM `shorts` WHERE `secret` = "' . $db->escape_string($secret) . '"') or die('Database error 3984');
if ($key->num_rows != 1) {
die("?secret=$secret not found");
die('?secret=' . htmlspecialchars($secret) . ' not found');
}
$key = $key->fetch_row()[0];
}
Expand All @@ -38,9 +38,10 @@
die('Error moving file.<script>alert("Error 500 uploading file.");</script>');
}

$data = array('original_filename' => $_FILES['f']['name'], 'filename' => $key);
$data = ['original_filename' => $_FILES['f']['name'], 'filename' => $key];
$data = $db->escape_string(serialize($data));
$db->query('UPDATE `shorts` SET `expires` = ' . (time() + (12*3600)) . ', `type` = 2, `value` = "' . $data . '", expireAfterDownload = ' . $expireAfterDownload . ' WHERE `secret` = "' . $secret . '"') or die('Database error 29348');
$db->query('UPDATE `shorts` SET `expires` = ' . (time() + (12*3600)) . ', `type` = 2, `value` = "' . $data . '", expireAfterDownload = ' . $expireAfterDownload
. ' WHERE `secret` = "' . $db->escape_string($secret) . '"') or die('Database error 29348');

die($retval);

0 comments on commit fa73c3a

Please sign in to comment.