CVE-2017-0378 reflected XSS

[lightsey]

While looking through codesearch.debian.net I noticed that phamm's views/helpers.php uses $_SERVER['PHP_SELF'] in a way that is vulnerable to reflected XSS attacks.

To reproduce the problem, load a URL like this in Firefox:

http://127.0.0.1/phamm/main.php/%22%3E%3Cscript%3Ealert%28123%29%3C/script%3E

The Debian Security team assigned this issue CVE-2017-0378

[lota]

Hi lightsey,
thanks for report. I reproduced the problem.

I tested (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; instead $_SERVER['PHP_SELF']

and vulnerability seems disappears

certainly there are other better way to sanitize Phamm's code, anyway, solution above could be sufficient?

TIA
Lota

[lightsey]

On Thu, 2017-07-20 at 08:53 +0000, Lota Bi wrote: Hi lightsey, thanks for report. I reproduced the problem. I tested  (isset($_SERVER['HTTPS']) ? "https" : "http") . "://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; instead $_SERVER['PHP_SELF']  and vulnerability  seems disappears certainly there are other better way to sanitize Phamm's code, anyway, solution above could be sufficient?

The more common fix is just to switch $_SERVER['PHP_SELF'] to htmlspecialchars($_SERVER["PHP_SELF"], ENT_QUOTES, "utf-8")

[c3retc3]

Hi lota! It seems like phamm/views/helpers.php keeps another vulnerable parts of code that could lead to reflected XSS. For example, in line #120:

$tag .= "<input type=\"text\" class=\"form-control\" size=\"25\" name=\"login_username\" value=\"".$login_username."\" maxlength=\"100\" placeholder=\""._("Enter domain or e-mail")."\" />"."\n";

It looks like variable login_username comes right from POST request body being not filtered.

Would you take a look at this, please?

[lota]

thanks for report, but Phamm is no longer supported,
we evaluate pull request only