Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Possible XSS vulnerability #2659

Closed
enferas opened this issue Nov 12, 2021 · 2 comments
Closed

Possible XSS vulnerability #2659

enferas opened this issue Nov 12, 2021 · 2 comments
Assignees
Labels

Comments

@enferas
Copy link

enferas commented Nov 12, 2021

Hello,

I would like to report for XSS vulnerability.

The path of the vulnerability

file www/pages/api.php line 49

Misc::showApiError(202, 'No such function (' . $_GET['t'] . ')');

file nzedb/utility/Misc.php in line 991

public static function showApiError($status = 900, $message = ''): void
{
		// ...

		$response =
			"<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" .
			'<error code="' . $status . '" description="' . $message . "\"/>\n";
		header('Content-type: text/xml');
		header('Content-Length: ' . \strlen($response) );
		header('X-nZEDb: API ERROR [' . $status . '] ' . $message);
		http_response_code($status);

		exit($response);
	}

exit function will terminate the script and print the message which has the input $_GET['t']. Then there is XSS vulnerability.

@enferas
Copy link
Author

enferas commented Dec 2, 2021

CVE-2021-43686 is assigned to this discovery.

nZEDb v0.4.20 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].

@niel
Copy link
Contributor

niel commented Dec 5, 2021

You are mistaken, there is no vulnerability here. Look closer at the nzedb/utility/Misc.php code, lines 1025-1027. The passed in message is replaced with a simpler but safe version which does not include the user input. The user input is passed to the ShowApiError method so that we can add logging for it later when the api is rewritten.

@niel niel closed this as completed Dec 5, 2021
@niel niel self-assigned this Dec 5, 2021
@niel niel added the INVALID label Dec 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants