Skip to content
This repository has been archived by the owner on Jan 27, 2023. It is now read-only.

Stored XSS in notes.php #140

Open
teeann opened this issue Apr 18, 2019 · 2 comments
Open

Stored XSS in notes.php #140

teeann opened this issue Apr 18, 2019 · 2 comments
Assignees
@mkucej
Labels
bug

Comments

@teeann
Copy link

teeann commented Apr 18, 2019

Summary

The parameter $notes is not sanitized after querying from database, so attackers can create a stored XSS attack.

How to reproduce

  1. curl http://<domain.tld>/notes.php --data 'file=1&notes=<script>alert(1)</script>' --cookie 'PHPSESSID=<session_id>'
  2. in your browser, access http://<domain.tld>/notes.php?file=1 while logged in

Detail

The bug exists since $notes was assigned to result of database query without sanitizing
https://github.com/mkucej/i-librarian/blob/master/notes.php#L27
https://github.com/mkucej/i-librarian/blob/master/notes.php#L53
@teeann
Copy link
Author

teeann commented Apr 20, 2019

Can anyone please review this bug? This is a quite critical vulnerability.

@mkucej mkucej self-assigned this Apr 20, 2019
@mkucej mkucej added the bug label Apr 20, 2019
@mkucej
Copy link
Owner

mkucej commented Apr 20, 2019

Thanks, it will be fixed in I, Librarian 5.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mkucej mkucej

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkucej @teeann