New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XX vulnerability in index.php #80
Comments
|
Thank you for reporting, I add a htmlspecialchars($_FILES['file']['name'])Don't know if this can solve the issue? |
|
Thank you for your response. Yes exactly that solve the issue. I would like also to mention to security issue in https://github.com/xiebruce/PicUploader/blob/master/settings/SettingController.php public function getStorageParams($params){
$key = $params['key'];
$jsonFile = $this->storagesDir.'/storage-'.$key.'.json';
if(is_file($jsonFile)){
$columns = json_decode(file_get_contents($jsonFile), true);
$code = 0;
}else{
//....
}
unset($columns['name']);
$returnArr = [
'code' => $code,
'data' => $columns,
];
//....
return json_encode($returnArr);
}
public function setStorageParams($params){
//...
$config = json_encode($_POST, JSON_UNESCAPED_SLASHES);
//...
$config = str_replace('\u202a', '', $config);
file_put_contents($jsonFile, $config);
//....
}You are saving the $_POST in a file through the function getStorageParams without sanitization. Then you use the function getStorageParams to retrieve the information. Are you using this file in your project ? if yes, we need to sanitize the input. |
|
Thank you so much, now I update the code as below $post = [];
foreach($_POST as $key=>$val){
$post[$key] = htmlspecialchars($val);
}
$config = json_encode($post, JSON_UNESCAPED_SLASHES); |
|
CVE-2022-36748 is assigned to the first report in /master/index.php |
I've delete that tag v2.6.3 |
|
CVE-2022-41442 is assigned to the second report. |
Second report? did you mean this? but I've already fix it. If I didn't, please point it out(coz I can't understand you clearly.) |
|
Yes, the vulnerability already fixed. thanks for your confirmation. |
|
OK, got it. |
Hello,
I would like to report for possible XSS vulnerability.
In file https://github.com/xiebruce/PicUploader/blob/master/index.php
It is possible to do the injection with the name of the file through $_FILES['file']['name'].
The text was updated successfully, but these errors were encountered: