search

mkucej / i-librarian

Legacy I, Librarian - collaborative PDF manager. Not maintained, new version is at https://github.com/mkucej/i-librarian-free
https://i-librarian.net
98 stars 38 forks source link

XSS vulnerability in display.php #138

Open everping opened 5 years ago

everping commented 5 years ago

Summary

The parameter project is not sanitized, so attackers can poison this parameter and then create a reflected XSS attack.

PoC

http://domain.tld/display.php?browse[]=all&project=1">test</a><script>alert(123)</script>&select=desk&_=1555500329996

Details

The flaw exists since $project was assigned to a GET parameter without sanitizing

https://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L15

then, $project was printed without escaping https://github.com/mkucej/i-librarian/blob/07a2668ae012ff0d3fbede934fa526cd7d1c7c41/display.php#L326

mkucej commented 5 years ago

Thank you. This will be fixed in the next version.

everping commented 5 years ago

@mkucej Can you assign this flaw a CVE?