XSS + privilege escalation

[leblanc-simon]

saveSettings isn't protected. Anyone who know a username can change the password and promote the user to admin.

with the last commit, you protect the available usernames.

But there is an XSS and if the cracker send a malicious URL to an legitimate user, you can change the password and the role of this user

See this gist to see the exploit for all versions of dropcenter

[ldleman]

Ooops :) big fail !! Corrected in the latest revision thank you for the information.

[leblanc-simon]

Your commit resolve the problem with the include php script with the img tag, but the XSS is always here and if you change the XSS to add an ajax query for replace the cURL call, you can change the current user and promote it at admin (because the query will be call with the user rights) :

• fix XSS
• prevent a user to change his role (user -> admin)
• add a token in the forms to prevent the unwanted actions

[ldleman]

I dont have understand everything but the topic 2 should be corrected with the lastest commit.

[leblanc-simon]

XSS :

• add in your URL : ?error=");$(document).ready(function(){$('body').html('Your cookie : '%2Bdocument.cookie);});function t(){}t("
• if the value of the cookie is sent to a cracker, he can stole your active session (and he will be connected without know your password)

You must safe your datas before to print its to prevent XSS You should protect your session : http://stackoverflow.com/questions/328/php-session-security

Token :

• Add a token in your forms to protect CSRF attack : http://en.wikipedia.org/wiki/Cross-site_request_forgery
• If I send you a link which redirect you in your dropcenter instance, without token in your forms, I can force you to change password, upload file, delete file, ...

[ldleman]

Ok, i'v secured error variable and added a token for the most sensible forms (add user form and settings forms) thanks for the advices