search

alchemy-fr / Phraseanet

Digital Asset Management PHP app
http://www.phraseanet.com
Other
246 stars 101 forks source link

Stored XSS #2760

Closed flow-res closed 5 years ago

flow-res commented 6 years ago

Hello, Thank you for creating this wonderful application. As a fresh penetration tester I was playing with your application and found a stored XSS vulnerability, which at this stage I developed to the point that the users are not able to see the content of the application and ending in 404 error. That affects Firefox browser and maybe others too, Chrome browser however (or Slimjet offshot I'm using) does have a XSS filter so it is not affected. Stored XSS the vulnerability is stored on the sever hence ALL users are affected. Because I see that as a serious security threat and not only "annoying" I will not share the code and technique here for now. Please contact me for the code. Regards

jygaulier commented 5 years ago

Hi. First of all, thank you for your interest in Phraseanet. As you may know, Phraseanet is evolving from more than 15 years, but a few code may be old and not managed by the framework (silex). We are now in the process of moving the whole application to Symfony 4, which will add a "first level" of security to the input forms. But of course, even with a framework, Phraseanet can have security issues that we still dont't know.

So we would really appreciate your help to locate any vulnerability that we will fix asap.

We can communicate via direct email (not support@...). Please feel free to write at : maillat@alchemy.fr (tech. dir.) ; gaulier@alchemy.fr (dev. dir.) ; diouf@alchemy.fr (support dir.)

Thank you in advance, Jean-Yves Gaulier, ALCHEMY

Le jeu. 4 oct. 2018 à 14:20, flow-res notifications@github.com a écrit :

Hello, Thank you for creating this wonderful application. As a fresh penetration tester I was playing with your application and found a stored XSS vulnerability, which at this stage I developed to the point that the users are not able to see the content of the application. That affects Firefox browser and maybe others, Chrome browser (or Slimjet offshot I'm using) does have a XSS filter so its not affected. As a stored XSS the vulnerability is stored on the sever and affects ALL users. Because I see that as a serious threat and not only "annoying" I will not share the code and technique here for now. Please contact me for the code. Regards

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/alchemy-fr/Phraseanet/issues/2760, or mute the thread https://github.com/notifications/unsubscribe-auth/ABMJgmqJ6WpY3z1iLHhcEsvi4jCP2PE1ks5uhf0HgaJpZM4XH_Hj .

flow-res commented 5 years ago

Thank you, I'm sending an email with description to you soon.

flow-res commented 5 years ago

I can confirm that this vulnerability has been addressed in version 4.0.7 Thank you!