Headline
CVE-2022-36748: XX vulnerability in index.php · Issue #80 · xiebruce/PicUploader
PicUploader v2.6.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /master/index.php.
Hello,
I would like to report for possible XSS vulnerability.
In file https://github.com/xiebruce/PicUploader/blob/master/index.php
$data = [ ‘code’ => 'success’, ‘data’ => [ ‘filename’ => $_FILES[‘file’][‘name’], ‘url’ => $isWeb ? $link[‘formatLink’] : $link, //专用于web上传,其它客户端上传该参数无用 ‘notFormatUrl’ => $isWeb ? $link[‘notFormatLink’] : '’, ], ];
header(‘Content-Type: application/json; charset=UTF-8’); $json = json_encode($data, JSON_UNESCAPED_UNICODE); echo $json;
It is possible to do the injection with the name of the file through $_FILES[‘file’][‘name’].
Thank you for reporting, I add a htmlspecialchars() to convert something like <script>alert(‘sdfds’)</script> to html entities.
htmlspecialchars($_FILES[‘file’][‘name’])
Don’t know if this can solve the issue?
Thank you for your response.
Yes exactly that solve the issue.
I would like also to mention to security issue in https://github.com/xiebruce/PicUploader/blob/master/settings/SettingController.php
public function getStorageParams($params){ $key = $params[‘key’]; $jsonFile = $this->storagesDir.’/storage-'.$key.’.json’; if(is_file($jsonFile)){ $columns = json_decode(file_get_contents($jsonFile), true); $code = 0; }else{ //… } unset($columns[‘name’]);
$returnArr = \[
'code' => $code,
'data' => $columns,
\];
//....
return json\_encode($returnArr);
}
public function setStorageParams($params){
//...
$config = json\_encode($\_POST, JSON\_UNESCAPED\_SLASHES);
//...
$config = str\_replace('\\u202a', '', $config);
file\_put\_contents($jsonFile, $config);
//....
}
You are saving the $_POST in a file through the function getStorageParams without sanitization. Then you use the function getStorageParams to retrieve the information. Are you using this file in your project ? if yes, we need to sanitize the input.
Thank you so much, now I update the code as below
$post = []; foreach($_POST as $key=>$val){ $post[$key] = htmlspecialchars($val); } $config = json_encode($post, JSON_UNESCAPED_SLASHES);