i-librarian icon indicating copy to clipboard operation
i-librarian copied to clipboard
verified publisher icon mkucej

Stored XSS in notes.php

Open teeann opened this issue 6 years ago • 2 comments

Summary

The parameter $notes is not sanitized after querying from database, so attackers can create a stored XSS attack.

How to reproduce

  1. curl http://<domain.tld>/notes.php --data 'file=1&notes=<script>alert(1)</script>' --cookie 'PHPSESSID=<session_id>'
  2. in your browser, access http://<domain.tld>/notes.php?file=1 while logged in

Detail

The bug exists since $notes was assigned to result of database query without sanitizing https://github.com/mkucej/i-librarian/blob/master/notes.php#L27 https://github.com/mkucej/i-librarian/blob/master/notes.php#L53

teeann avatar Apr 18 '19 15:04 teeann

Can anyone please review this bug? This is a quite critical vulnerability.

teeann avatar Apr 20 '19 08:04 teeann

Thanks, it will be fixed in I, Librarian 5.

mkucej avatar Apr 20 '19 17:04 mkucej