aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorSebastien SAUVAGE <sebsauvage@sebsauvage.net>2013-03-03 22:15:38 +0100
committerSebastien SAUVAGE <sebsauvage@sebsauvage.net>2013-03-03 22:15:38 +0100
commitfeebc6d466ba78c5a34b4f6bbdfcce6a0785e709 (patch)
treeb2f31bf1ebc328f8845b496d88f827d742262ac4 /index.php
parent705f8355a95c899c154ba08a159c2d4840fd8c98 (diff)
downloadShaarli-feebc6d466ba78c5a34b4f6bbdfcce6a0785e709.tar.gz
Shaarli-feebc6d466ba78c5a34b4f6bbdfcce6a0785e709.tar.zst
Shaarli-feebc6d466ba78c5a34b4f6bbdfcce6a0785e709.zip
Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g <script>alert(1)</script> Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "><script>alert(1)</script> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted
Diffstat (limited to 'index.php')
-rw-r--r--index.php17
1 files changed, 14 insertions, 3 deletions
diff --git a/index.php b/index.php
index bac5b7d2..224690ef 100644
--- a/index.php
+++ b/index.php
@@ -1265,7 +1265,11 @@ function renderPage()
1265 if (isset($_GET['linksperpage'])) 1265 if (isset($_GET['linksperpage']))
1266 { 1266 {
1267 if (is_numeric($_GET['linksperpage'])) { $_SESSION['LINKS_PER_PAGE']=abs(intval($_GET['linksperpage'])); } 1267 if (is_numeric($_GET['linksperpage'])) { $_SESSION['LINKS_PER_PAGE']=abs(intval($_GET['linksperpage'])); }
1268 header('Location: '.(empty($_SERVER['HTTP_REFERER'])?'?':$_SERVER['HTTP_REFERER'])); 1268 // Make sure the referer is from Shaarli itself.
1269 $referer = '?';
1270 if (!empty($_SERVER['HTTP_REFERER']) && strcmp(parse_url($_SERVER['HTTP_REFERER'],PHP_URL_HOST),$_SERVER['SERVER_NAME'])==0)
1271 $referer = $_SERVER['HTTP_REFERER'];
1272 header('Location: '.$referer);
1269 exit; 1273 exit;
1270 } 1274 }
1271 1275
@@ -1280,7 +1284,11 @@ function renderPage()
1280 { 1284 {
1281 unset($_SESSION['privateonly']); // See all links 1285 unset($_SESSION['privateonly']); // See all links
1282 } 1286 }
1283 header('Location: '.(empty($_SERVER['HTTP_REFERER'])?'?':$_SERVER['HTTP_REFERER'])); 1287 // Make sure the referer is from Shaarli itself.
1288 $referer = '?';
1289 if (!empty($_SERVER['HTTP_REFERER']) && strcmp(parse_url($_SERVER['HTTP_REFERER'],PHP_URL_HOST),$_SERVER['SERVER_NAME'])==0)
1290 $referer = $_SERVER['HTTP_REFERER'];
1291 header('Location: '.$referer);
1284 exit; 1292 exit;
1285 } 1293 }
1286 1294
@@ -1437,7 +1445,10 @@ function renderPage()
1437 if (!tokenOk($_POST['token'])) die('Wrong token.'); // Go away ! 1445 if (!tokenOk($_POST['token'])) die('Wrong token.'); // Go away !
1438 $tags = trim(preg_replace('/\s\s+/',' ', $_POST['lf_tags'])); // Remove multiple spaces. 1446 $tags = trim(preg_replace('/\s\s+/',' ', $_POST['lf_tags'])); // Remove multiple spaces.
1439 $linkdate=$_POST['lf_linkdate']; 1447 $linkdate=$_POST['lf_linkdate'];
1440 $link = array('title'=>trim($_POST['lf_title']),'url'=>trim($_POST['lf_url']),'description'=>trim($_POST['lf_description']),'private'=>(isset($_POST['lf_private']) ? 1 : 0), 1448 $url = trim($_POST['lf_url']);
1449 if (!startsWith($url,'http:') && !startsWith($url,'ftp:') && !startsWith($url,'magnet:') && !startsWith($url,'?'))
1450 $url = 'http://'.$url;
1451 $link = array('title'=>trim($_POST['lf_title']),'url'=>$url,'description'=>trim($_POST['lf_description']),'private'=>(isset($_POST['lf_private']) ? 1 : 0),
1441 'linkdate'=>$linkdate,'tags'=>str_replace(',',' ',$tags)); 1452 'linkdate'=>$linkdate,'tags'=>str_replace(',',' ',$tags));
1442 if ($link['title']=='') $link['title']=$link['url']; // If title is empty, use the URL as title. 1453 if ($link['title']=='') $link['title']=$link['url']; // If title is empty, use the URL as title.
1443 $LINKSDB[$linkdate] = $link; 1454 $LINKSDB[$linkdate] = $link;