search

lincanbin / Carbon-Forum

A high performance open-source forum software written in PHP. Discussions Tags based with Quora/StackOverflow style.
https://www.94cb.com/
Apache License 2.0
1.84k stars 433 forks source link

Possible XSS vulnerability #324

Open enferas opened 2 years ago

enferas commented 2 years ago

Hello,

I would like to report for possible XSS vulnerability.

The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php

// line 27
// the source
$str = (isset($_POST['source']) ? $_POST['source'] : '');

// line 59
$pa->SetSource($str);
//...
$pa->StartAnalysis( $do_fork );
$okresult = $pa->GetFinallyResult(' ', $do_prop);

// line 118
<textarea name="result" id="result" style="width:98%;height:120px;font-size:14px;color:#555"><?php echo (isset($okresult) ? $okresult : ''); ?></textarea>

In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php

public function SetSource($source, $source_charset = 'utf-8', $target_charset = 'utf-8')
    {
        //...
                $this->sourceString = iconv('utf-8', UCS2, $source);
        //...
    }
public function StartAnalysis($optimize = true){
    //..
    $s = 0;
    //..
    for ($i = 0; $i < $slen; $i++) {
        $c  = $this->sourceString[$i] . $this->sourceString[++$i];
        $cn = hexdec(bin2hex($c));
        //...
        $s++;
        //...
        if ($cn == 0x3000) {
            continue;
        } else {
            $this->simpleResult[$s]['w'] = $c;
            $this->simpleResult[$s]['t'] = 5;
            $s++;
        }
    } 

    $this->_sort_finally_result();
}
private function _sort_finally_result()
    {
        $newarr = array();
        $i      = 0;
        foreach ($this->simpleResult as $k => $v) {
            //...
            } else if ($v['t'] != 21) {
                $newarr[$i]['w'] = $v['w'];
                $newarr[$i]['t'] = $v['t'];
                $i++;
            }
        }
        $this->finallyResult = $newarr;
        $newarr              = '';
    }
public function GetFinallyResult($spword = ' ', $word_meanings = false)
    {
        $rsstr = '';
        foreach ($this->finallyResult as $v) {
            if ($this->resultType == 2 && ($v['t'] == 3 || $v['t'] == 5)) {
                continue;
            }
            $m = '';
            if ($word_meanings) {
                $m = $this->GetWordProperty($v['w']);
            }
            $w = $this->_out_string_encoding($v['w']);
            if ($w != ' ') {
                if ($word_meanings) {
                    $rsstr .= $spword . $w . $m;
                } else {
                    $rsstr .= $spword . $w;
                }
            }
        }
        return $rsstr;
    }

So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.