kalkun-sms/Kalkun

Possible XSS vulnerability

Opened this issue · 1 comments

enferas commented

Hello,

I would like to report for possible XSS vulnerability with the user name.

We see that the username will be setted in the DB without sanitization in file Kalkun-devel\application\models\User_model.php

$this->db->set('username', trim($this->input->post('username')));

Then the username retrieved from the DB and set in the session then redirect to 'kalkun' in file Kalkun-devel\application\models\Kalkun_model.php

function login(){
  $username = $this->input->post('username');
  $this->db->from('user');
  $this->db->where('username', $username);
  $query = $this->db->get();
  
  if ($query->num_rows() === 1 && password_verify($this->input->post('password'), $query->row('password')))
  {
	  //..
	  $this->session->set_userdata('username', $query->row('username'));
         //...
  }
  if ($this->input->post('r_url'))
  {
  redirect($this->input->post('r_url'));
  }
  else
  {
  redirect('kalkun');
  }
}

In file Kalkun-devel\application\controllers\Kalkun.php

function index()
{
  //...
  $this->load->view('main/layout', $data);
}

In file Kalkun-devel\application\views\main\layout.php

<?php $this->load->view('main/dock');?>

Finally, in file Kalkun-devel\application\views\main\dock.php

<?php echo $this->session->userdata('username');?>
tenzap commented

Thank you. Would you please submit a pull request with a fix?
A suggestion on how to fix xss can be found here:
https://github.com/kalkun-sms/Kalkun/wiki/Developing#pull-request-checklist