Description
In my recent security analysis of bibtexbrowser script, I discovered a significant Stored Cross-Site Scripting (XSS) vulnerability. This flaw exists in the process of listing .bib files in the php script directory. The related function is default_message(), Line 288.
In the Line 299, the PHP script puts file name without proper neutralization or validation. This oversight allows an attacker to craft a malicious file name containing executable JavaScript code, which can then be stored on the server.
Steps to reproduce
Host a local server for the PHP script.
Create a file named <img src=x onerror=alert('xss')>.bib with the help of touch command in the Linux based OSes or use a python script for creating malicious files.
Go to /bibtexbrowser.php?frameset&bib= relative URL with the help of browser.
An alert message will appear on the page – malicious file name executed JavaScript code.
PoC
Fix Implemented
Added urlencode() to encode the file names in the URL.
Used htmlspecialchars() to escape special characters in the file names and URLs.
These changes prevent XSS vulnerabilities by ensuring that file names are safe to display and use.
monperrus
commented
6 days ago
Description In my recent security analysis of bibtexbrowser script, I discovered a significant Stored Cross-Site Scripting (XSS) vulnerability. This flaw exists in the process of listing .bib files in the php script directory. The related function is default_message(), Line 288.
In the Line 299, the PHP script puts file name without proper neutralization or validation. This oversight allows an attacker to craft a malicious file name containing executable JavaScript code, which can then be stored on the server.
Steps to reproduce
<img src=x onerror=alert('xss')>.bibwith the help of touch command in the Linux based OSes or use a python script for creating malicious files./bibtexbrowser.php?frameset&bib=relative URL with the help of browser.An alert message will appear on the page – malicious file name executed JavaScript code.
PoC
Fix Implemented
urlencode()to encode the file names in the URL.htmlspecialchars()to escape special characters in the file names and URLs.These changes prevent XSS vulnerabilities by ensuring that file names are safe to display and use.