From 257ecaa6b27fb78ab976dd94c6ca11db449028c5 Mon Sep 17 00:00:00 2001 From: Michele Romano <33063403+Mik317@users.noreply.github.com> Date: Fri, 14 Aug 2020 16:39:08 +0200 Subject: [PATCH 1/4] [FIX] XSS through `htmlentities` --- core/class/uploader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/class/uploader.php b/core/class/uploader.php index 447d0ff..c9ccce6 100644 --- a/core/class/uploader.php +++ b/core/class/uploader.php @@ -198,7 +198,7 @@ public function __construct() { // HOST APPLICATIONS INIT if (isset($_GET['CKEditorFuncNum'])) { $this->opener['name'] = "ckeditor"; - $this->opener['CKEditor'] = array('funcNum' => $_GET['CKEditorFuncNum']); + $this->opener['CKEditor'] = array('funcNum' => htmlentities($_GET['CKEditorFuncNum'], ENT_QUOTES, 'UTF-8')); } elseif (isset($_GET['opener'])) { $this->opener['name'] = $_GET['opener']; From 725163f7b0f91288c0da85eaaad950f4819080ef Mon Sep 17 00:00:00 2001 From: Michele Romano <33063403+Mik317@users.noreply.github.com> Date: Fri, 14 Aug 2020 16:51:19 +0200 Subject: [PATCH 2/4] Update uploader.php Fix JS injection removing invalid `chars` in a `function name` which could result in bypassing `htmlentities()` --- core/class/uploader.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/core/class/uploader.php b/core/class/uploader.php index c9ccce6..21b886c 100644 --- a/core/class/uploader.php +++ b/core/class/uploader.php @@ -198,7 +198,8 @@ public function __construct() { // HOST APPLICATIONS INIT if (isset($_GET['CKEditorFuncNum'])) { $this->opener['name'] = "ckeditor"; - $this->opener['CKEditor'] = array('funcNum' => htmlentities($_GET['CKEditorFuncNum'], ENT_QUOTES, 'UTF-8')); + $malicious = array("(", ")", ";", "=", "-", "*", "/", "+", "!", "@", "#", "%", "^", "&"); + $this->opener['CKEditor'] = array('funcNum' => htmlentities(str_replace($malicious, '', $_GET['CKEditorFuncNum']), ENT_QUOTES, 'UTF-8')); } elseif (isset($_GET['opener'])) { $this->opener['name'] = $_GET['opener']; From e4140aebf155d59b3c8aeb7daf9a7b9415885298 Mon Sep 17 00:00:00 2001 From: Michele Romano <33063403+Mik317@users.noreply.github.com> Date: Fri, 14 Aug 2020 17:00:13 +0200 Subject: [PATCH 3/4] Update uploader.php --- core/class/uploader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/class/uploader.php b/core/class/uploader.php index 21b886c..458e542 100644 --- a/core/class/uploader.php +++ b/core/class/uploader.php @@ -198,7 +198,7 @@ public function __construct() { // HOST APPLICATIONS INIT if (isset($_GET['CKEditorFuncNum'])) { $this->opener['name'] = "ckeditor"; - $malicious = array("(", ")", ";", "=", "-", "*", "/", "+", "!", "@", "#", "%", "^", "&"); + $malicious = array("(", ")", ";", "=", "-", "*", "/", "+", "!", "@", "#", "%", "^", "&", "`"); $this->opener['CKEditor'] = array('funcNum' => htmlentities(str_replace($malicious, '', $_GET['CKEditorFuncNum']), ENT_QUOTES, 'UTF-8')); } elseif (isset($_GET['opener'])) { From e3f5a5e51e4594f9d6f63fe65f9a83331e9823cd Mon Sep 17 00:00:00 2001 From: Michele Romano <33063403+Mik317@users.noreply.github.com> Date: Fri, 14 Aug 2020 17:09:18 +0200 Subject: [PATCH 4/4] Added some other denied characters --- core/class/uploader.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/class/uploader.php b/core/class/uploader.php index 458e542..b2410e8 100644 --- a/core/class/uploader.php +++ b/core/class/uploader.php @@ -198,7 +198,7 @@ public function __construct() { // HOST APPLICATIONS INIT if (isset($_GET['CKEditorFuncNum'])) { $this->opener['name'] = "ckeditor"; - $malicious = array("(", ")", ";", "=", "-", "*", "/", "+", "!", "@", "#", "%", "^", "&", "`"); + $malicious = array("(", ")", ";", "=", "-", "*", "/", "+", "!", "@", "#", "%", "^", "&", "`", "'", "\""); $this->opener['CKEditor'] = array('funcNum' => htmlentities(str_replace($malicious, '', $_GET['CKEditorFuncNum']), ENT_QUOTES, 'UTF-8')); } elseif (isset($_GET['opener'])) {