Carbon-Forum icon indicating copy to clipboard operation
Carbon-Forum copied to clipboard

Published 20 hours ago verified publisher icon lincanbin

Possible XSS vulnerability

Open enferas opened this issue 1 year ago • 0 comments

Hello,

I would like to report for possible XSS vulnerability.

The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php

// line 27
// the source
$str = (isset($_POST['source']) ? $_POST['source'] : '');

// line 59
$pa->SetSource($str);
//...
$pa->StartAnalysis( $do_fork );
$okresult = $pa->GetFinallyResult(' ', $do_prop);

// line 118
<textarea name="result" id="result" style="width:98%;height:120px;font-size:14px;color:#555"><?php echo (isset($okresult) ? $okresult : ''); ?></textarea>

In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php

public function SetSource($source, $source_charset = 'utf-8', $target_charset = 'utf-8')
	{
		//...
				$this->sourceString = iconv('utf-8', UCS2, $source);
		//...
	}

public function StartAnalysis($optimize = true){
    //..
    $s = 0;
    //..
    for ($i = 0; $i < $slen; $i++) {
        $c  = $this->sourceString[$i] . $this->sourceString[++$i];
        $cn = hexdec(bin2hex($c));
        //...
        $s++;
        //...
        if ($cn == 0x3000) {
            continue;
        } else {
            $this->simpleResult[$s]['w'] = $c;
            $this->simpleResult[$s]['t'] = 5;
            $s++;
        }
    } 

    $this->_sort_finally_result();
}

private function _sort_finally_result()
	{
		$newarr = array();
		$i      = 0;
		foreach ($this->simpleResult as $k => $v) {
			//...
			} else if ($v['t'] != 21) {
				$newarr[$i]['w'] = $v['w'];
				$newarr[$i]['t'] = $v['t'];
				$i++;
			}
		}
		$this->finallyResult = $newarr;
		$newarr              = '';
	}

public function GetFinallyResult($spword = ' ', $word_meanings = false)
	{
		$rsstr = '';
		foreach ($this->finallyResult as $v) {
			if ($this->resultType == 2 && ($v['t'] == 3 || $v['t'] == 5)) {
				continue;
			}
			$m = '';
			if ($word_meanings) {
				$m = $this->GetWordProperty($v['w']);
			}
			$w = $this->_out_string_encoding($v['w']);
			if ($w != ' ') {
				if ($word_meanings) {
					$rsstr .= $spword . $w . $m;
				} else {
					$rsstr .= $spword . $w;
				}
			}
		}
		return $rsstr;
	}

So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.

enferas avatar Sep 29 '22 14:09 enferas