search

HaschekSolutions / pictshare

:camera: PictShare is an open source image, mp4, pastebin hosting service with a simple resizing and upload API that you can host yourself. :rice_scene:
https://www.pictshare.net
Apache License 2.0
819 stars 123 forks source link

Possible XSS vulnerability #133

Closed enferas closed 2 years ago

enferas commented 2 years ago

Hello,

I would like to report for XSS vulnerability.

in api/info.php

function getInfoAboutHash

function getInfoAboutHash($hash)
{
    // ...

    return array('hash'=>$hash,'size_bytes'=>$size,'size_interpreted'=>$size_hr,'type'=>$type,'type_interpreted'=>getTypeOfFile($file));
}

line 15

$hash = $_REQUEST['hash'];
// ...
    $answer = getInfoAboutHash($hash);
    $answer['status'] = 'ok';
    exit(json_encode($answer));
// ...

exit function will terminate the script and print the message which has $_REQUEST['hash']. Then there is XSS vulnerability.

geek-at commented 2 years ago

Cannot confirm because the script will return {"status":"err","reason":"File not found"} if the hash is invalid see here because of line 17

But I did find another small bug that if you leave the hash variable out, it was telling you the size of the data folder

image

Thanks!

enferas commented 2 years ago

Thank you for the confirmation.

CVE-2021-43683 is assigned to this discovery.

pictshare v1.5 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].

geek-at commented 2 years ago

Do you have a PoC because I can't reproduce as it will just say "file not found" if an invalid hash is supplied

enferas commented 2 years ago

Thank you for your response.

Specific values can pass the json_encode. This example give an alert with me.

<?php
$output = ["A"=>"<img src='#' onerror=alert(1)>","B"=>"Safe"];
echo json_encode($output);
geek-at commented 2 years ago

You do realize that the bug was fixed 3 years before you opened the CVE, right? Pictshare 1.5 was released in 2018

vitalijalbu commented 2 years ago

@geek-at would be better if you add releases on this repo, so people can easily ask questions and open issues.

geek-at commented 2 years ago

I'm open to pull requests if you want to automate it on every push. At the moment the "releases" are basically what's on docker hub.

Rolling updates I find more suitable for a project of this scope because it's easier to manage and faster to update with a git pull if you don't want to use the docker image