Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected Cross-site Scripting in returnFilesIds() function #995

Closed
KietNA-HPT opened this issue Sep 8, 2021 · 1 comment
Closed

Reflected Cross-site Scripting in returnFilesIds() function #995

KietNA-HPT opened this issue Sep 8, 2021 · 1 comment

Comments

@KietNA-HPT
Copy link

KietNA-HPT commented Sep 8, 2021

Dear @ignacionelson,
I found a vulnerability that execute malicious script of user,

Description:

Because of lacking of sanitizer when echo output data in returnFilesIds() function in {webroot}/includes/Classes/Download.php , the low privilege user (Uploader role) can call this function through process.php file and execute scripting code
Image

Image

PoC:

{webroot}/process.php?do=return_files_ids&files[0][name]=x&files[0][value]=23"><img src=x onerror=alert(1);>

Image

Solutions:

public function returnFilesIds($file_ids)
    {
		$this->check_level = array(9,8,7,0);
		if (isset($file_ids)) {
			// do a permissions check for logged in user
			if (current_role_in($this->check_level)) {
				$file_list = array();
				foreach($file_ids as $key => $data) {
					$file_list[] = $data['value'];
				}
				ob_clean();
				flush();
				$return = implode( ',', $file_list );
            }
            else {
                return false;
            }
        }
        else {
            return false;
        }

        echo htmlentities($return) // fixed in here, html encoding prevent xss;
    }
@ignacionelson
Copy link
Collaborator

Hi! Thanks for your report. This seems to be based on r1295 instead of the code on this repository, and this issue was already fixed here but casting the value to integer.

$file_list[] = (int)$data['value']; //file-id must be int

Thank you again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants