XSS Vulnerability

[paurkedal]

Archon substitutes unescaped query strings into HTML at various places, making it vulnerable to cross-site scripting attacks. We found out through https://www.openbugbounty.org/incidents/202333/, which, if hope to have fixed the following, though a fgrep '\"$' -r * --include \*.php suggests there may be more cases.

--- packages/core/pub/contact.php       2017-02-23 18:00:19.289374542 +0100
+++ packages/core/pub/contact.php.orig  2014-01-17 21:24:06.000000000 +0100
@@ -67,7 +67,7 @@
 
     $in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']);
 
-    $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0;
+    $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0;
 
 
 
@@ -111,8 +111,8 @@
 
        $form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n";
        $form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n";
-       $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n";
-       $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n";
+       $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n";
+       $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n";
        $form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n";
 
        $strRequiredMarker = "<span style=\"color:red\">*</span>";

[chrisprom]

Petter, Thanks. can you pass this back to this branch, they are working on security updates and may have already addressed this. https://github.com/LibraryHost/archon/tree/dev <https://github.com/LibraryHost/archon/tree/dev> Hope you are well! Chris Prom chris.prom@gmail.com

…

On Feb 23, 2017, at 11:17 AM, Petter Urkedal ***@***.***> wrote: Archon substitutes unescaped query strings into HTML at various places, making it vulnerable to cross-site scripting attacks. We found out through https://www.openbugbounty.org/incidents/202333/ <https://www.openbugbounty.org/incidents/202333/>, which, if hope to have fixed the following, though a fgrep '\"$' -r * --include \*.php suggests there may be more cases. --- packages/core/pub/contact.php 2017-02-23 18:00:19.289374542 +0100 +++ packages/core/pub/contact.php.orig 2014-01-17 21:24:06.000000000 +0100 @@ -67,7 +67,7 @@ $in_referer = $_REQUEST['referer'] ? $_REQUEST['referer'] : urlencode($_REQUEST['HTTP_REFERER']); - $repositoryid = $_REQUEST['repositoryid'] ? int($_REQUEST['repositoryid']) : 0; + $repositoryid = $_REQUEST['repositoryid'] ? $_REQUEST['repositoryid'] : 0; @@ -111,8 +111,8 @@ $form = "<input type=\"hidden\" name=\"f\" value=\"sendemail\" />\n"; $form .= "<input type=\"hidden\" name=\"p\" value=\"core/contact\" />\n"; - $form .= "<input type=\"hidden\" name=\"referer\" value=\"".htmlspecialchars($in_referer)."\" />\n"; - $form .= "<input type=\"hidden\" name=\"query_string\" value=\"".htmlspecialchars($query_string)."\" />\n"; + $form .= "<input type=\"hidden\" name=\"referer\" value=\"$in_referer\" />\n"; + $form .= "<input type=\"hidden\" name=\"query_string\" value=\"$query_string\" />\n"; $form .= "<input type=\"hidden\" name=\"RepositoryID\" value=\"$repositoryid\" />\n"; $strRequiredMarker = "<span style=\"color:red\">*</span>"; — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#75>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABMJarZzZGBiQzwHmrIqChHS0SU53kQ2ks5rfb8YgaJpZM4MKPsV>.

[paurkedal]

Good to hear, and thanks for the pointer. I opened LibraryHost#7.

Hope you're well too!