Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BlueScreen: In CLI mode is php_info() output corrupted (and XSS vulnerable) #444

Closed
jakubboucek opened this issue Oct 21, 2020 · 1 comment

Comments

@jakubboucek
Copy link
Contributor

jakubboucek commented Oct 21, 2020

Version: v2.7.5 - master

Bug Description

In CLI mode is BlueScreen renders output of phpinfo() corrupted (section Environment » Configuration options » Configuration).

\Tracy\BlueScreen expects the phpinfo() function returns HTML formatted output, but in CLI mode is output ASCII formatted plaintext.

Because ASCII format is based oh white-spaces, in HTML is these output broken and shloud be wrapped with <pre></pre> tags.

Here is one Security aspect too: \Tracy\BlueScreen expect the values in phpinfo() escpaped for HTML context, but plaintext variant is raw. That's make real XSS vulnerability.

Related code:

<h3><a data-tracy-ref="^+" class="tracy-toggle tracy-collapsed">Configuration options</a></h3>
<div class="outer tracy-collapsed">
<?php ob_start(); @phpinfo(INFO_CONFIGURATION | INFO_MODULES); $phpinfo = ob_get_clean(); // @ phpinfo can be disabled
$phpinfo = str_replace('<table', '<table class="tracy-sortable"', $phpinfo);
echo preg_replace('#^.+<body>|</body>.+\z#s', '', $phpinfo) ?>
</div>

Steps To Reproduce

mkdir test
cd test
composer require tracy/tracy

Create cli.php:

<?php
declare(strict_types=1);

require __DIR__ . '/vendor/autoload.php';

\Tracy\Debugger::enable(\Tracy\Debugger::PRODUCTION, __DIR__);
throw new \Exception;

Call PHP file via CLI:

php cli.php

In directory is creted BlueScreen dump, look to section Environment » Configuration options » Configuration, here is corrupted output of phpinfo().
image

Expected Behavior

Render output asi preformatted text, sanitized to prevent XSS.

image

I will maybe later prepare PR.

@jakubboucek
Copy link
Contributor Author

Díky!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant