XSS on archive.php - Githubissues

dehnavi / get-simple-cms

Automatically exported from code.google.com/p/get-simple-cms

GNU General Public License v3.0

0 stars 0 forks source link

XSS on archive.php #355

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago

After delete any file, getSimple goes to:

http://www.site.com/admin/archive.php?upd=del-success&id=myFile

but if we add some extra characters into the URL:

http://www.site.com/admin/archive.php?upd=del-success&id=myFile%3Ciframe%20src=%
22http://www.getsimple.nsn2/theme/Innovation/assets/images/share.png%22%20onnloa
d=%22alert%281%29%22%3E

we can add an iframe to the generated webpage (in this example). So if we can 
modify the HTML generated for archive.php we have a security problem.

Original issue reported on code.google.com by aquinadie on 20 Sep 2012 at 4:01

GoogleCodeExporter commented 9 years ago

This is probably sourced to the error_checking.php which I have complained 
about in another issue.

$_GET['id']is not sanitized in any of the outputs it produces.

Will fix asap.

Original comment by tablatronics on 24 Sep 2012 at 4:18

Added labels: Priority-High
Removed labels: Priority-Medium

GoogleCodeExporter commented 9 years ago

[deleted comment]

GoogleCodeExporter commented 9 years ago

fixed via r756

Original comment by tablatronics on 28 Sep 2012 at 6:57

GoogleCodeExporter commented 9 years ago

Great work but it's necessary fix it again. I'd change your new line:

if(isset($_GET['id'])) $errid = ( function_exists( "filter_var") ) ? filter_var 
( $_GET['id'], FILTER_SANITIZE_SPECIAL_CHARS)  : htmlentities($_GET['err']);

by this:

if(isset($_GET['id'])) $errid = ( function_exists( "filter_var") ) ? filter_var 
( $_GET['id'], FILTER_SANITIZE_SPECIAL_CHARS)  : htmlentities($_GET['id']);

See the arguments of htmlentities(). Bye

Original comment by aquinadie on 28 Sep 2012 at 9:47

GoogleCodeExporter commented 9 years ago

oops

Original comment by tablatronics on 29 Sep 2012 at 12:23

GoogleCodeExporter commented 9 years ago

Another typo in r758 ?
Line 26, GET['$id'] instead of GET['id']

Original comment by carnav on 29 Sep 2012 at 7:17

GoogleCodeExporter commented 9 years ago

Thanks, one of the plugins in my new editor is not working properly apparently 
and keeps changing stuff.

Original comment by tablatronics on 29 Sep 2012 at 12:59

GoogleCodeExporter commented 9 years ago

Fixed

Original comment by tablatronics on 21 Oct 2012 at 4:00

Changed state: Fixed