MyShaarli/tpl
Sebastien SAUVAGE feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
..
addlink.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
changepassword.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
changetag.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
configure.html Added option to disable jQuery and heavy javascript 2013-03-01 22:21:10 +01:00
daily.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
dailyrss.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
editlink.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
export.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
import.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
includes.html Added option to disable jQuery and heavy javascript 2013-03-01 22:21:10 +01:00
install.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
linklist.html Corrected vulnerabilities (see report below) 2013-03-03 22:15:38 +01:00
linklist.paging.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
loginform.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
page.footer.html Added option to disable jQuery and heavy javascript 2013-03-01 22:21:10 +01:00
page.header.html Corrected vulnerabilities (see report below) 2013-03-03 22:15:38 +01:00
page.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
picwall.html Added option to disable jQuery and heavy javascript 2013-03-01 22:21:10 +01:00
picwall2.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
readme.txt Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
tagcloud.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00
tools.html Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00

===== Shaarli template organisation =====

Any Shaarli page should conform to this RainTPL template:

-----------------------------------------------------
<html>
<head>{include="includes"}</head>
<body>
	<div id="pageheader">{include="page.header"}</div>
    You body goes here...
    {include="page.footer"}
</body>
</html>
-----------------------------------------------------

If you want to also add something in the page header (in the dark area), do it here:

<div id="pageheader">{include="page.header"}My menu goes here...</div>


Example: "Add new link" form:
-----------------------------------------------------
<html>
<head>{include="includes"}</head>
<body onload="document.addform.post.focus();">
<div id="pageheader">
	{include="page.header"}
	<div id="headerform">
		<form method="GET" action="" name="addform" class="addform">
			<input type="text" name="post" style="width:50%;"> 
			<input type="submit" value="Add link" class="bigbutton">
		</form>
	</div>
</div>
{include="page.footer"}
</body>
</html>
-----------------------------------------------------