Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

File Manipulation and Cross Site Scripting in usererror.missing_extension.php #2639

Closed
Xyntax opened this issue Jan 17, 2017 · 6 comments
Closed

File Manipulation and Cross Site Scripting in usererror.missing_extension.php #2639

Xyntax opened this issue Jan 17, 2017 · 6 comments
Assignees
@brendo @nitriques
Labels
1 - Minor Fix found Fixed in 2.6.x

Comments

@Xyntax
Copy link

Xyntax commented Jan 17, 2017

File Manipulation

https://github.com/symphonycms/symphony-2/blob/master/symphony/template/usererror.missing_extension.php#L15

@rename(EXTENSIONS . '/' . $_POST['existing-folder'], EXTENSIONS . '/' . $_POST['new-folder']))

Data from $_POST is passed directly into filepath, attacker may control filepath with injecting ../.

Cross Site Scripting

https://github.com/symphonycms/symphony-2/blob/master/symphony/template/usererror.missing_extension.php#L18

$name = $_POST['existing-folder'];
...
Symphony::Engine()->throwCustomError(
                __('Could not find extension %s at location %s.', array(
                    '<code>' . $name . '</code>',
                    '<code>' . $path . '</code>'
                )),

Here data from $_POST to HTML allows attacker to trigger an XSS with payload llike existing-folder=</code><script>xxx</script>
@brendo
Copy link
Member

brendo commented Jan 17, 2017

Thank you for reporting @Xyntax.

@nitriques First might need a custom check to ensure an attacker can't traverse up (or down) in the tree. Second can be solved using filter_var IMO.

@nitriques
Copy link
Member

Boy do I want to remove all to pesky $_ access.

@nitriques
Copy link
Member

Thank you for reporting @Xyntax.

If you ever discover of security bugs. please follow our disclosure policy: https://github.com/symphonycms/symphony-2/wiki/Security-Bug-Disclosure

nitriques added a commit that referenced this issue Jan 17, 2017
@nitriques
Prevent Cross Site Scripting
fbab292 
This commits makes sure we sanitize input before outputing them.

Re: #2639
@nitriques
Copy link
Member

@Xyntax
fbab292 fixes the XSS issue
e177fc7 fixes the path traversal issue

@brendo could you review please ?

@nitriques
Copy link
Member

2.6.10 is out

@munki-boy
Copy link

👍 @nitriques

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@brendo brendo

@nitriques nitriques

Labels
1 - Minor Fix found Fixed in 2.6.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@brendo @nitriques @munki-boy @Xyntax