This repository was archived by the owner on Feb 23, 2021. It is now read-only.
Security Fix for Cross-site Scripting (XSS) - huntr.dev#186
Open
huntr-helper wants to merge 5 commits into
Open
Security Fix for Cross-site Scripting (XSS) - huntr.dev#186huntr-helper wants to merge 5 commits into
huntr-helper wants to merge 5 commits into
Conversation
Fix JS injection removing invalid `chars` in a `function name` which could result in bypassing `htmlentities()`
[FIX] XSS through blacklisting and htmlentities()
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://huntr.dev/users/Mik317 has fixed the Cross-site Scripting (XSS) vulnerability 🔨. Mik317 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program 💵. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A
Version Affected | ALL
Bug Fix | YES
Original Pull Request | 418sec#1
GitHub Issue | #180
Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/packagist/kcfinder/1/README.md
User Comments:
Bounty URL: https://www.huntr.dev/bounties/1-packagist-kcfinder
⚙️ Description *
kcfinderwasvulnerableagainstXSSdue to aunsafe formattingwhich occurred in theuploader.phpfile.An input provided by the user could be reflected inside the
scripttag and lead toXSS.💻 Technical Description *
I used 2 ways to fix the issue:
usage of
htmlentities()(as suggested on Cross-site Scripting Vulnerability #180 ) in order to avoid attackers could break thescripttag and insert another one/another tag.usage of a
blacklistwithfind and replaceapproach to avoid the attacker could manipulate theJSsyntax and lead to XSS modifying the script purposeI wanted also to add directly a
whitelistto avoidbad craftedfunction names, but I ended up seeing theregexto validate all the possiblefunction nameinJS/ECMAcould be really bad and redundant + long (more here: https://stackoverflow.com/questions/2008279/validate-a-javascript-function-name/2008444#2008444). So I opted toreplacemaliciouscharactersinside thefuncnamein order to avoid XSS without preventing users to useascii function namesand similar ones 😄.🐛 Proof of Concept (PoC) *
No POC provided but
static analysisis awesome🔥 Proof of Fix (PoF) *
No steps provided but the fix covers all the cases I could see
👍 User Acceptance Testing (UAT)
Only
replacedsome maliciouscharactersand called thehtmlentities()function on the resulting string 😄