search

nZEDb / nZEDb

nZEDb - a fork of nnplus(2011) | NNTP / Usenet / Newsgroup indexer.
https://nzedb.github.io/
630 stars 182 forks source link

Possible XSS vulnerability #2659

Closed enferas closed 2 years ago

enferas commented 2 years ago

Hello,

I would like to report for XSS vulnerability.

The path of the vulnerability

file www/pages/api.php line 49

Misc::showApiError(202, 'No such function (' . $_GET['t'] . ')');

file nzedb/utility/Misc.php in line 991

public static function showApiError($status = 900, $message = ''): void
{
        // ...

        $response =
            "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n" .
            '<error code="' . $status . '" description="' . $message . "\"/>\n";
        header('Content-type: text/xml');
        header('Content-Length: ' . \strlen($response) );
        header('X-nZEDb: API ERROR [' . $status . '] ' . $message);
        http_response_code($status);

        exit($response);
    }

exit function will terminate the script and print the message which has the input $_GET['t']. Then there is XSS vulnerability.

enferas commented 2 years ago

CVE-2021-43686 is assigned to this discovery.

nZEDb v0.4.20 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in www/pages/api.php. The exit function will terminate the script and print the message which has the input $_GET['t'].

niel commented 2 years ago

You are mistaken, there is no vulnerability here. Look closer at the nzedb/utility/Misc.php code, lines 1025-1027. The passed in message is replaced with a simpler but safe version which does not include the user input. The user input is passed to the ShowApiError method so that we can add logging for it later when the api is rewritten.