New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible XSS vulnerability #650
Comments
|
Unless you are on an outdated version, on the line prior to $test_profile = new pts_test_profile($_GET['tp']); is phoromatic_quit_if_invalid_input_found(array('tp'));. That phoromatic_quit_if_invalid_input_found() call will bail if that variable has any < > characters, among other characters, so XML cannot be passed ultimately on that line... Unless you found some way to bypass that, that line has already prevented the possibility of XSS there. |
|
Hello, Thank you for your response. Anyway I think I found a way to bypass this check. function phoromatic_quit_if_invalid_input_found($input_keys = null)
{
if(empty($input_keys))
{
// Check them all if not being selective about what keys to check
$input_keys = array_keys($_REQUEST);
}
// backup as to sanitization and stripping elsewhere, safeguard namely check for things like < for fields that shouldn't have it
// plus a few simple backups as safeguards for words that really have no legit relevance within Phoromatic...
foreach(pts_strings::safety_strings_to_reject() as $invalid_string)
{
foreach($input_keys as $key)
{
if(isset($_REQUEST[$key]) && !empty($_REQUEST[$key]))
{
foreach(pts_arrays::to_array($_REQUEST[$key]) as $val_to_check)
{
if(stripos($val_to_check, $invalid_string) !== false)
{
echo '<strong>Exited due to invalid input ( ' . $invalid_string . ') attempted:</strong> ' . htmlspecialchars($val_to_check);
exit;
}
}
}
}
}
}What I can do here that sending the post and the get with the same key (tp). I pass the safe value with the $_POST and the injection with the $_GET. Thus phoromatic_quit_if_invalid_input_found will check the value in the $_POST which is safe and I continue my injection with $_GET. Here just a sample example I create to show that $_REQUEST is printing the value of the $_POST. //server code
<?php
echo $_GET['tp']; // print getxxxx
echo $_POST['tp']; // print postyy
echo $_REQUEST['tp']; // print postyy//payload
<?php
?>
<html>
<body>
<form action="http://localhost:8082/server.php?tp=getxxxx" id="myform" method="post" name="myform">
<input type="hidden" name="tp" value="postyy">
<input type="submit" value="Add Action" id="clickButton">
</form>
</body></html>
<script>
window.onload = function(){
var button = document.getElementById('clickButton');
button.form.submit();
}
</script>looking forward for your response. |
…_if_invalid_input_found() Fixes: #650 (comment)
|
Thank you @michaellarabel for applying this fix. This fix solve multiple reports that I had. |
|
CVE-2022-40704 is assigned to this report. |
Hello,
I would like to report for possible XSS vulnerability.
In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php
In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/objects/pts_test_profile.php
In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/objects/pts_test_profile_parser.php
Now the input is in the xml property in object $test_profile.
In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/phoromatic/pages/phoromatic_r_add_test_details.php
In file https://github.com/phoronix-test-suite/phoronix-test-suite/blob/master/pts-core/objects/pts_test_profile_parser.php
Thus the input will be controlled by the attacker, saved in the xml then extracted and printed through the variable $supported_os.
The text was updated successfully, but these errors were encountered: