Carbon-Forum
Carbon-Forum copied to clipboard
Possible XSS vulnerability
Hello,
I would like to report for possible XSS vulnerability.
The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php
// line 27
// the source
$str = (isset($_POST['source']) ? $_POST['source'] : '');
// line 59
$pa->SetSource($str);
//...
$pa->StartAnalysis( $do_fork );
$okresult = $pa->GetFinallyResult(' ', $do_prop);
// line 118
<textarea name="result" id="result" style="width:98%;height:120px;font-size:14px;color:#555"><?php echo (isset($okresult) ? $okresult : ''); ?></textarea>
In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php
public function SetSource($source, $source_charset = 'utf-8', $target_charset = 'utf-8')
{
//...
$this->sourceString = iconv('utf-8', UCS2, $source);
//...
}
public function StartAnalysis($optimize = true){
//..
$s = 0;
//..
for ($i = 0; $i < $slen; $i++) {
$c = $this->sourceString[$i] . $this->sourceString[++$i];
$cn = hexdec(bin2hex($c));
//...
$s++;
//...
if ($cn == 0x3000) {
continue;
} else {
$this->simpleResult[$s]['w'] = $c;
$this->simpleResult[$s]['t'] = 5;
$s++;
}
}
$this->_sort_finally_result();
}
private function _sort_finally_result()
{
$newarr = array();
$i = 0;
foreach ($this->simpleResult as $k => $v) {
//...
} else if ($v['t'] != 21) {
$newarr[$i]['w'] = $v['w'];
$newarr[$i]['t'] = $v['t'];
$i++;
}
}
$this->finallyResult = $newarr;
$newarr = '';
}
public function GetFinallyResult($spword = ' ', $word_meanings = false)
{
$rsstr = '';
foreach ($this->finallyResult as $v) {
if ($this->resultType == 2 && ($v['t'] == 3 || $v['t'] == 5)) {
continue;
}
$m = '';
if ($word_meanings) {
$m = $this->GetWordProperty($v['w']);
}
$w = $this->_out_string_encoding($v['w']);
if ($w != ' ') {
if ($word_meanings) {
$rsstr .= $spword . $w . $m;
} else {
$rsstr .= $spword . $w;
}
}
}
return $rsstr;
}
So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.