Commit graph

16 commits

Author SHA1 Message Date
53311376dc [fix] syntax error on loading external javascript 2013-03-21 10:32:42 +01:00
fef1279b23 Merge branch 'master' of git://github.com/sebsauvage/Shaarli
Conflicts:
	.gitignore
2013-03-11 10:10:50 +01:00
David Sferruzza
f2acdfd14e Move lazyload init inside the body tag 2013-03-10 19:04:48 +01:00
dc21529403 Merge remote-tracking branch 'origin/master'
Conflicts:
	tpl/editlink.html
2013-03-05 08:59:04 +01:00
9de40d272f Merge branch 'master' of git://github.com/sebsauvage/Shaarli
Conflicts:
	index.php
	tpl/includes.html
	tpl/linklist.html
	tpl/page.footer.html
2013-03-04 14:03:46 +01:00
bb8f712db6 [add] https://github.com/sebsauvage/Shaarli/issues/20 New links created as private by default. 2013-03-04 10:18:39 +01:00
Sebastien SAUVAGE
feebc6d466 Corrected vulnerabilities (see report below)
Title : Shaarli Vulnerabilities
Author : @erwan_lr | @_WPScan_

Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli
Download : https://github.com/sebsauvage/Shaarli/archive/master.zip |
http://sebsauvage.net/files/shaarli_0.0.40beta.zip
Affected versions : master-705F835, 0.0.40-beta (versions below may also
be vulnerable)

Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards

Persistent XSS :
- During the instalation or configuration modification, the title field
is vulnerable. e.g <script>alert(1)</script>
Quotes can not be used because of var_export(), but String.fromCharCode
works

- The url field of a link is vulnerable :

When there is no redirector : javascript:alert(1)
Then, the code is triggered when a user click the url of a link

Or with a classic XSS : "><script>alert(1)</script>

Unvalidated Redirects and Forwards :
A request with the param linksperpage or privateonly can be used to
redirect a user to an arbitrary referer

e.g
GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1
Host: 127.0.0.1
Referer: https://duckduckgo.com

History :
March 2, 2013
- Vendor contacted
2013-03-03 22:15:38 +01:00
Sebastien SAUVAGE
858c5c2b43 Added option to disable jQuery and heavy javascript
Shaarli uses light Javascript in its normal operation, and some jQuery
for some features (autocomplete in tags, QR-Code popup...).
jQuery can be slow on small computers. An option has been added in
configuration screen to disable javascript features which are hard on
CPU.
(Note that the Picture Wall is awfully heavy *without* jQuery.)

(Side note: A *LOT* of users want Shaarli to work without javasript at
all, if possible. That's why I try to use as few javascript as possible:
It keeps Shaarli pages fast.)
2013-03-01 22:21:10 +01:00
edfa09c1f5 Who have add index.php in tpl dir ....... Oups it's me sorry 2013-02-28 17:03:56 +01:00
e074ff6499 Add link the homepage 2013-02-28 15:01:26 +01:00
1eacb94c3e Merge remote-tracking branch 'origin/master'
Conflicts:
	tpl/linklist.html
2013-02-28 14:45:11 +01:00
Sébastien SAUVAGE
b342b2a4c7 After clicking save/cancel on a link, scroll to the link itself. 2013-02-27 18:24:07 +01:00
Sébastien SAUVAGE
b2877611c3 Edit/delete button on the left-side of links.
https://github.com/sebsauvage/Shaarli/issues/5
2013-02-27 17:46:45 +01:00
24391820a1 [add] Print domain name for @via link 2013-02-27 12:24:51 +01:00
3732e83db9 Première version de MyOnSni 2013-02-27 12:00:16 +01:00
Sébastien SAUVAGE
450342737c Initial commit (version 0.0.40 beta) 2013-02-26 10:09:41 +01:00