XSS Vulnerability
paurkedal opened this issue · 2 comments
paurkedal commented
Archon substitutes unescaped query strings into HTML at various places, making it vulnerable to cross-site scripting attacks. We found out through https://www.openbugbounty.org/incidents/202333/, which, if hope to have fixed the following, though a fgrep '\"$' -r * --include \*.php suggests there may be more cases.
--- packages/core/pub/contact.php 2017-02-23 18:00:19.289374542 +0100
+++ packages/core/pub/contact.php.orig 2014-01-17 21:24:06.000000000 +0100
@@ -67,7 +67,7 @@
$in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']);
- $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0;
+ $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0;
@@ -111,8 +111,8 @@
$form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n";
$form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n";
- $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n";
- $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n";
+ $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n";
+ $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n";
$form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n";
$strRequiredMarker = "<span style=\"color:red\">*</span>";chrisprom commented
Petter, Thanks. can you pass this back to this branch, they are working on security updates and may have already addressed this.
https://github.com/LibraryHost/archon/tree/dev <https://github.com/LibraryHost/archon/tree/dev>
Hope you are well!
Chris Prom
chris.prom@gmail.com
… On Feb 23, 2017, at 11:17 AM, Petter Urkedal ***@***.***> wrote:
Archon substitutes unescaped query strings into HTML at various places, making it vulnerable to cross-site scripting attacks. We found out through https://www.openbugbounty.org/incidents/202333/ <https://www.openbugbounty.org/incidents/202333/>, which, if hope to have fixed the following, though a fgrep '\"$' -r * --include \*.php suggests there may be more cases.
--- packages/core/pub/contact.php 2017-02-23 18:00:19.289374542 +0100
+++ packages/core/pub/contact.php.orig 2014-01-17 21:24:06.000000000 +0100
@@ -67,7 +67,7 @@
$in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']);
- $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0;
+ $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0;
@@ -111,8 +111,8 @@
$form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n";
$form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n";
- $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n";
- $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n";
+ $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n";
+ $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n";
$form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n";
$strRequiredMarker = "<span style=\"color:red\">*</span>";
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#75>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABMJarZzZGBiQzwHmrIqChHS0SU53kQ2ks5rfb8YgaJpZM4MKPsV>.
paurkedal commented
Good to hear, and thanks for the pointer. I opened LibraryHost#7.
Hope you're well too!