Open enferas opened 2 years ago
Hello,
I would like to report for possible XSS vulnerability.
The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php
// line 27 // the source $str = (isset($_POST['source']) ? $_POST['source'] : ''); // line 59 $pa->SetSource($str); //... $pa->StartAnalysis( $do_fork ); $okresult = $pa->GetFinallyResult(' ', $do_prop); // line 118 <textarea name="result" id="result" style="width:98%;height:120px;font-size:14px;color:#555"><?php echo (isset($okresult) ? $okresult : ''); ?></textarea>
In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php
public function SetSource($source, $source_charset = 'utf-8', $target_charset = 'utf-8') { //... $this->sourceString = iconv('utf-8', UCS2, $source); //... }
public function StartAnalysis($optimize = true){ //.. $s = 0; //.. for ($i = 0; $i < $slen; $i++) { $c = $this->sourceString[$i] . $this->sourceString[++$i]; $cn = hexdec(bin2hex($c)); //... $s++; //... if ($cn == 0x3000) { continue; } else { $this->simpleResult[$s]['w'] = $c; $this->simpleResult[$s]['t'] = 5; $s++; } } $this->_sort_finally_result(); }
private function _sort_finally_result() { $newarr = array(); $i = 0; foreach ($this->simpleResult as $k => $v) { //... } else if ($v['t'] != 21) { $newarr[$i]['w'] = $v['w']; $newarr[$i]['t'] = $v['t']; $i++; } } $this->finallyResult = $newarr; $newarr = ''; }
public function GetFinallyResult($spword = ' ', $word_meanings = false) { $rsstr = ''; foreach ($this->finallyResult as $v) { if ($this->resultType == 2 && ($v['t'] == 3 || $v['t'] == 5)) { continue; } $m = ''; if ($word_meanings) { $m = $this->GetWordProperty($v['w']); } $w = $this->_out_string_encoding($v['w']); if ($w != ' ') { if ($word_meanings) { $rsstr .= $spword . $w . $m; } else { $rsstr .= $spword . $w; } } } return $rsstr; }
So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.
Hello,
I would like to report for possible XSS vulnerability.
The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php
In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php
So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.