Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiples XSS in index.php #134

Closed
jvoisin opened this issue Oct 22, 2013 · 3 comments
Closed

Multiples XSS in index.php #134

jvoisin opened this issue Oct 22, 2013 · 3 comments
Labels

Comments

@jvoisin
Copy link

jvoisin commented Oct 22, 2013

Line 945:

echo '</channel></rss><!-- Cached version of ' . pageurl () . ' -->'; 

Line 1030:

$feed .= '</feed><!-- Cached version of ' . pageurl () . ' -->'; 
echo $feed; 

Line 1107:

echo '</channel></rss><!-- Cached version of ' . pageurl () . ' -->';

Line 1614:

echo <<<HTML <!DOCTYPE NETSCAPE-Bookmark-file-1> <!-- This is an automatically generated file.      It will be read and overwritten.      DO NOT EDIT! --> <!-- Shaarli {$exportWhat} bookmarks export on {$currentdate} --> [...]

Line 1750:

echo '<script language="JavaScript">alert("File ' . $filename . ' (' . $filesize . ' bytes) was successfully processed: ' . $import_count . ' links imported.");document.location=\'?\';</script>'; 

Line 1754


@e2jk
Copy link

e2jk commented Nov 20, 2013

Thanks @jvoisin for reporting. What are your suggestions to fix this?
For the first 3 cases, would "escaping" the comment character sequence work or could one think of more clever ways to inject content? Or should the entire comment just be removed?

What about the 4th: How severe would that be? This functionality is only available for the logged-in user who wants to export his bookmarks, could such an export file be classified as XSS (i.e. is there "scripting" in bookmark files)?

About the last 2 (I suppose copy/paste didn't work properly for the last one?), what would one be able to inject with the variables $filename, $filesize and $import_count?

Let's come up with a patch to plug these holes!

sebsauvage added a commit that referenced this issue Nov 29, 2013
@sebsauvage
Copy link
Owner

Closed by commit 53da201

@e2jk
Copy link

e2jk commented Apr 1, 2014

Just as an FYI, this security issue got a CVE (Common Vulnerabilities and Exposures) ID assigned: CVE-2013-7351.

nodiscc pushed a commit to shaarli/shaarli-pkg-debian that referenced this issue Sep 26, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants