From feebc6d466ba78c5a34b4f6bbdfcce6a0785e709 Mon Sep 17 00:00:00 2001 From: Sebastien SAUVAGE Date: Sun, 3 Mar 2013 22:15:38 +0100 Subject: Corrected vulnerabilities (see report below) Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted --- tpl/linklist.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'tpl/linklist.html') diff --git a/tpl/linklist.html b/tpl/linklist.html index 3a703512..37ffeb64 100644 --- a/tpl/linklist.html +++ b/tpl/linklist.html @@ -40,7 +40,7 @@ {/if} - {$value.title|htmlspecialchars} + {$value.title|htmlspecialchars}
{if="$value.description"}
{$value.description}
{/if} {if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"} -- cgit v1.2.3