HTPC-Manager
HTPC-Manager copied to clipboard
styxit
XSS bug in "Other Apps"
I've not checked to see if any validation / processing is performed but I'm guessing the answer is no since you can do something like this:
">< script >alert('hacked')</ script ><a
^This is interpreted exactly as you see it and will alert 'hacked' on every single page.
I thought I might be able to fix it by encoding the URL as follows:
%22%3E%3C%2Fa%3E%3Cscript%3Ealert(%27hacked%27)%3C%2Fscript%3E%3Ca
This didn't work either though and gave me the following error:
Starting HTPC Manager on port 8085. Start your browser and go to http://localhost:8085//htpc
2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Listening for SIGHUP. 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Listening for SIGTERM. 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Listening for SIGUSR1. 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Bus STARTING 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Started monitor thread '_TimeoutMonitor'. 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Serving on 0.0.0.0:8085 2014-08-06 03:54:24 :: cherrypy.error :: INFO :: [06/Aug/2014:03:54:24] ENGINE Bus STARTED 2014-08-06 03:54:56 :: modules.plex :: INFO :: Sending discovery message: M-SEARCH * HTTP/1.0 2014-08-06 03:54:57 :: modules.plex :: INFO :: GDM: Servers discovered: 1 2014-08-06 03:55:24 :: cherrypy.error.140114300669776 :: ERROR :: [06/Aug/2014:03:55:24] HTTP Traceback (most recent call last): File "/etc/HTPC-Manager/libs/cherrypy/_cprequest.py", line 656, in respond response.body = self.handler() File "/etc/HTPC-Manager/libs/cherrypy/lib/encoding.py", line 188, in call self.body = self.oldhandler(_args, *_kwargs) File "/etc/HTPC-Manager/libs/cherrypy/_cpdispatch.py", line 34, in call return self.callable(_self.args, *_self.kwargs) File "/etc/HTPC-Manager/htpc/root.py", line 32, in index return htpc.LOOKUP.get_template('dash.html').render(scriptname='dash') File "/etc/HTPC-Manager/libs/mako/template.py", line 412, in render return runtime.render(self, self.callable, args, data) File "/etc/HTPC-Manager/libs/mako/runtime.py", line 766, in _render **kwargs_for_callable(callable, data)) File "/etc/HTPC-Manager/libs/mako/runtime.py", line 798, in _render_context _exec_template(inherit, lclcontext, args=args, kwargs=kwargs) File "/etc/HTPC-Manager/libs/mako/runtime.py", line 824, in exec_template callable(context, _args, *_kwargs) File "base_html", line 92, in render_body File "/etc/HTPC-Manager/htpc/settings.py", line 87, in getUrls return loads(links) File "/usr/lib/python2.7/json/init.py", line 338, in loads return _default_decoder.decode(s) File "/usr/lib/python2.7/json/decoder.py", line 366, in decode obj, end = self.raw_decode(s, idx=_w(s, 0).end()) File "/usr/lib/python2.7/json/decoder.py", line 382, in raw_decode obj, end = self.scan_once(s, idx) ValueError: Expecting , delimiter: line 1 column 25 (char 24)
I'm not entirely sure what the problem is but I'd suggest fixing it since it's possible to break HTPC Manager entirely if you enter the wrong things resulting in a '500 Internal Server Error'
We can try to add some basis sanitize with cgi.escape so thrash like that is escaped before saving it to the db.
I injected it into the URL bit of the “Other Apps” section in the settings for HTPC Manager. On 6 Aug 2014, at 19:45, Hellowlol [email protected] wrote:
Where do you inject this?
— Reply to this email directly or view it on GitHub.