Headline
CVE-2022-36305: Possible XSS Vulnerability · Issue #2252 · serghey-rodin/vesta
Vesta v1.0.0-5 was discovered to contain a cross-site scripting (XSS) vulnerability via the body function at /web/api/v1/upload/UploadHandler.php.
Hello,
I would like to report for possible XSS vulnerability.
In file https://github.com/serghey-rodin/vesta/blob/master/web/api/v1/upload/UploadHandler.php
the source in function post
public function post($print\_response = true) {
//....
// the source $\_FILES\[$this->options\['param\_name'\]\]
$upload = isset($\_FILES\[$this\->options\['param\_name'\]\]) ? $\_FILES\[$this\->options\['param\_name'\]\] : null;
// ....
foreach ($upload\['tmp\_name'\] as $index => $value) {
// $files will have the source which return from handle\_file\_upload
$files\[\] = $this\->handle\_file\_upload(
$upload\['tmp\_name'\]\[$index\],
$file\_name ? $file\_name : $upload\['name'\]\[$index\],
$size ? $size : $upload\['size'\]\[$index\],
$upload\['type'\]\[$index\], // The source
$upload\['error'\]\[$index\],
$index,
$content\_range
);
}
//.....
// call generate\_response and pass the source in the array in $files
return $this\->generate\_response(
array($this\->options\['param\_name'\] => $files),
$print\_response
);
}
function handle_file_upload
protected function handle\_file\_upload($uploaded\_file, $name, $size, $type, $error,
//.....
// the source in $file->type
$file\->type = $type;
//....
return $file;
}
function generate_response
protected function generate\_response($content, $print\_response = true) {
if ($print\_response) {
$json = json\_encode($content);
//.....
$this\->body($json);
}
}
Finally, the sink in function body
protected function body($str) { // the sink echo $str; }