Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36748: XX vulnerability in index.php · Issue #80 · xiebruce/PicUploader

PicUploader v2.6.3 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /master/index.php.

CVE
Open in Source
#xss#vulnerability#web#js#git#php

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/xiebruce/PicUploader/blob/master/index.php

$data = [ ‘code’ => 'success’, ‘data’ => [ ‘filename’ => $_FILES[‘file’][‘name’], ‘url’ => $isWeb ? $link[‘formatLink’] : $link, //专用于web上传,其它客户端上传该参数无用 ‘notFormatUrl’ => $isWeb ? $link[‘notFormatLink’] : '’, ], ];

header(‘Content-Type: application/json; charset=UTF-8’); $json = json_encode($data, JSON_UNESCAPED_UNICODE); echo $json;

It is possible to do the injection with the name of the file through $_FILES[‘file’][‘name’].

Thank you for reporting, I add a htmlspecialchars() to convert something like <script>alert(‘sdfds’)</script> to html entities.

htmlspecialchars($_FILES[‘file’][‘name’])

Don’t know if this can solve the issue?

Thank you for your response.

Yes exactly that solve the issue.

I would like also to mention to security issue in https://github.com/xiebruce/PicUploader/blob/master/settings/SettingController.php

public function getStorageParams($params){ $key = $params[‘key’]; $jsonFile = $this->storagesDir.’/storage-'.$key.’.json’; if(is_file($jsonFile)){ $columns = json_decode(file_get_contents($jsonFile), true); $code = 0; }else{ //… } unset($columns[‘name’]);

    $returnArr = \[
        'code' => $code,
        'data' => $columns,
    \];
    //....
    return json\_encode($returnArr);
}

public function setStorageParams($params){
    //...
           $config = json\_encode($\_POST, JSON\_UNESCAPED\_SLASHES);
            //...
            $config = str\_replace('\\u202a', '', $config);
    file\_put\_contents($jsonFile, $config);
    //....
}

You are saving the $_POST in a file through the function getStorageParams without sanitization. Then you use the function getStorageParams to retrieve the information. Are you using this file in your project ? if yes, we need to sanitize the input.

Thank you so much, now I update the code as below

$post = []; foreach($_POST as $key=>$val){ $post[$key] = htmlspecialchars($val); } $config = json_encode($post, JSON_UNESCAPED_SLASHES);

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE