Crafted urls cors schema error

SimpleMachines / SMF

Simple Machines Forum — SMF in short — is free and open-source community forum software, delivering professional grade features in a package that allows you to set up your own online community within minutes!

https://www.simplemachines.org/

Other

582 stars 253 forks source link

Crafted urls cors schema error #7623

Open jdarwood007 opened 1 year ago

jdarwood007 commented 1 year ago

Description

https://myforum/index.php?form=%3C/script%3E%3Cimg%20src%20onerror=alert(document.domain)%3E&control=upload?topic=1.0

/Sources/Security.php (Line 1422)

Type of error: Undefined Error message 2: Undefined array key "scheme"

jdarwood007 commented 1 year ago

I've seen this on ?action=who now. I suspect its a xhr type request that SMF is trying to check cors on. Simple solution here is to skip checking this if the origin doesn't have a scheme.