Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible XSS vulnerability #324

Open
enferas opened this issue Sep 29, 2022 · 0 comments
Open

Possible XSS vulnerability #324

enferas opened this issue Sep 29, 2022 · 0 comments

Comments

@enferas
Copy link

enferas commented Sep 29, 2022

Hello,

I would like to report for possible XSS vulnerability.

The path of the vulnerability in files https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.demo.php

// line 27
// the source
$str = (isset($_POST['source']) ? $_POST['source'] : '');

// line 59
$pa->SetSource($str);
//...
$pa->StartAnalysis( $do_fork );
$okresult = $pa->GetFinallyResult(' ', $do_prop);

// line 118
<textarea name="result" id="result" style="width:98%;height:120px;font-size:14px;color:#555"><?php echo (isset($okresult) ? $okresult : ''); ?></textarea>

In file https://github.com/lincanbin/Carbon-Forum/blob/master/library/PHPAnalysis.class.php

public function SetSource($source, $source_charset = 'utf-8', $target_charset = 'utf-8')
	{
		//...
				$this->sourceString = iconv('utf-8', UCS2, $source);
		//...
	}
public function StartAnalysis($optimize = true){
    //..
    $s = 0;
    //..
    for ($i = 0; $i < $slen; $i++) {
        $c  = $this->sourceString[$i] . $this->sourceString[++$i];
        $cn = hexdec(bin2hex($c));
        //...
        $s++;
        //...
        if ($cn == 0x3000) {
            continue;
        } else {
            $this->simpleResult[$s]['w'] = $c;
            $this->simpleResult[$s]['t'] = 5;
            $s++;
        }
    } 

    $this->_sort_finally_result();
}
private function _sort_finally_result()
	{
		$newarr = array();
		$i      = 0;
		foreach ($this->simpleResult as $k => $v) {
			//...
			} else if ($v['t'] != 21) {
				$newarr[$i]['w'] = $v['w'];
				$newarr[$i]['t'] = $v['t'];
				$i++;
			}
		}
		$this->finallyResult = $newarr;
		$newarr              = '';
	}
public function GetFinallyResult($spword = ' ', $word_meanings = false)
	{
		$rsstr = '';
		foreach ($this->finallyResult as $v) {
			if ($this->resultType == 2 && ($v['t'] == 3 || $v['t'] == 5)) {
				continue;
			}
			$m = '';
			if ($word_meanings) {
				$m = $this->GetWordProperty($v['w']);
			}
			$w = $this->_out_string_encoding($v['w']);
			if ($w != ' ') {
				if ($word_meanings) {
					$rsstr .= $spword . $w . $m;
				} else {
					$rsstr .= $spword . $w;
				}
			}
		}
		return $rsstr;
	}

So as we can see that the source $_POST['source'] will pass to the echo in line 118 in file PHPAnalysis.demo.php without being sanitized.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@enferas