search

outroll / vesta

VESTA Control Panel
http://vestacp.com
GNU General Public License v3.0
2.91k stars 1.02k forks source link

Possible XSS Vulnerability #2252

Closed enferas closed 1 year ago

enferas commented 2 years ago

Hello,

I would like to report for possible XSS vulnerability.

In file https://github.com/serghey-rodin/vesta/blob/master/web/api/v1/upload/UploadHandler.php

the source in function post

    public function post($print_response = true) {
        //....
        // the source $_FILES[$this->options['param_name']]
        $upload = isset($_FILES[$this->options['param_name']]) ? $_FILES[$this->options['param_name']] : null;
        // ....
        foreach ($upload['tmp_name'] as $index => $value) {
            // $files will have the source which return from handle_file_upload
            $files[] = $this->handle_file_upload(
                $upload['tmp_name'][$index],
                $file_name ? $file_name : $upload['name'][$index],
                $size ? $size : $upload['size'][$index],
                $upload['type'][$index], // The source
                $upload['error'][$index],
                $index,
                $content_range
            );
        }
        //.....
        // call generate_response and pass the source in the array in $files
        return $this->generate_response(
            array($this->options['param_name'] => $files),
            $print_response
        );
    }

function handle_file_upload

    protected function handle_file_upload($uploaded_file, $name, $size, $type, $error,
        //.....
        // the source in $file->type
        $file->type = $type;
        //....
        return $file;
    }

function generate_response

    protected function generate_response($content, $print_response = true) {
        if ($print_response) {
            $json = json_encode($content);
            //.....
            $this->body($json);
        }
    }

Finally, the sink in function body

protected function body($str) {
        // the sink
        echo $str;
    }
byjameson commented 2 years ago

yes this is bug

myvesta commented 2 years ago

Can you check is this issue exists in https://github.com/myvesta/vesta fork?

jaapmarcus commented 1 year ago

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-36305

anton-reutov commented 1 year ago

Possible XSS Vulnerability

divinity76 commented 1 year ago

proposed a fix: https://github.com/serghey-rodin/vesta/pull/2258

fwiw VestaCP development has largely halted, notable maintained forks are https://github.com/hestiacp/hestiacp and https://github.com/myvesta/vesta

anton-reutov commented 1 year ago

Thank you guys for the help