feebc6d466
Title : Shaarli Vulnerabilities Author : @erwan_lr | @_WPScan_ Vendor : http://sebsauvage.net/wiki/doku.php?id=php:shaarli Download : https://github.com/sebsauvage/Shaarli/archive/master.zip | http://sebsauvage.net/files/shaarli_0.0.40beta.zip Affected versions : master-705F835, 0.0.40-beta (versions below may also be vulnerable) Vulnerabilities : Persistent XSS & Unvalidated Redirects and Forwards Persistent XSS : - During the instalation or configuration modification, the title field is vulnerable. e.g <script>alert(1)</script> Quotes can not be used because of var_export(), but String.fromCharCode works - The url field of a link is vulnerable : When there is no redirector : javascript:alert(1) Then, the code is triggered when a user click the url of a link Or with a classic XSS : "><script>alert(1)</script> Unvalidated Redirects and Forwards : A request with the param linksperpage or privateonly can be used to redirect a user to an arbitrary referer e.g GET /Audit/Shaarli/master-705f835/?linksperpage=10 HTTP/1.1 Host: 127.0.0.1 Referer: https://duckduckgo.com History : March 2, 2013 - Vendor contacted
82 lines
No EOL
4.4 KiB
HTML
82 lines
No EOL
4.4 KiB
HTML
<!DOCTYPE html>
|
|
<html>
|
|
<head>{include="includes"}</head>
|
|
<body>
|
|
<div id="pageheader">
|
|
{include="page.header"}
|
|
<div id="headerform" style="width:100%; white-space:nowrap;">
|
|
<form method="GET" class="searchform" name="searchform" style="display:inline;"><input type="text" id="searchform_value" name="searchterm" style="width:30%" value=""> <input type="submit" value="Search" class="bigbutton"></form>
|
|
<form method="GET" class="tagfilter" name="tagfilter" style="display:inline;margin-left:24px;"><input type="text" name="searchtags" id="tagfilter_value" style="width:10%" value=""> <input type="submit" value="Filter by tag" class="bigbutton"></form>
|
|
</div>
|
|
</div>
|
|
|
|
<div id="linklist">
|
|
|
|
{include="linklist.paging"}
|
|
|
|
{if="count($links)==0"}
|
|
<div id="searchcriteria">Nothing found.</i></div>
|
|
{else}
|
|
{if="$search_type=='fulltext'"}
|
|
<div id="searchcriteria">{$result_count} results for <i>{$search_crits}</i></div>
|
|
{/if}
|
|
{if="$search_type=='tags'"}
|
|
<div id="searchcriteria">{$result_count} results for tags <i>
|
|
{loop="search_crits"}
|
|
<span class="linktag" title="Remove tag"><a href="?removetag={$value|htmlspecialchars}">{$value|htmlspecialchars} <span style="border-left:1px solid #aaa; padding-left:5px; color:#6767A7;">x</span></a></span>
|
|
{/loop}</i></div>
|
|
{/if}
|
|
{/if}
|
|
<ul>
|
|
{loop="links"}
|
|
<li{if="$value.class"} class="{$value.class}"{/if}>
|
|
<a name="{$value.linkdate|smallHash}" id="{$value.linkdate|smallHash}"></a>
|
|
<div class="thumbnail">{$value.url|thumbnail}</div>
|
|
<div class="linkcontainer">
|
|
{if="isLoggedIn()"}
|
|
<div class="linkeditbuttons">
|
|
<form method="GET" class="buttoneditform"><input type="hidden" name="edit_link" value="{$value.linkdate}"><input type="image" alt="Edit" src="images/edit_icon.png#" title="Edit" class="button_edit"></form><br>
|
|
<form method="POST" class="buttoneditform"><input type="hidden" name="lf_linkdate" value="{$value.linkdate}">
|
|
<input type="hidden" name="token" value="{$token}"><input type="hidden" name="delete_link"><input type="image" alt="Delete" src="images/delete_icon.png#" title="Delete" class="button_delete" onClick="return confirmDeleteLink();"></form>
|
|
</div>
|
|
{/if}
|
|
<span class="linktitle"><a href="{$redirector}{$value.url|htmlspecialchars}">{$value.title|htmlspecialchars}</a></span>
|
|
<br>
|
|
{if="$value.description"}<div class="linkdescription"{if condition="$search_type=='permalink'"} style="max-height:none !important;"{/if}>{$value.description}</div>{/if}
|
|
{if="!$GLOBALS['config']['HIDE_TIMESTAMPS'] || isLoggedIn()"}
|
|
<span class="linkdate" title="Permalink"><a href="?{$value.linkdate|smallHash}">{$value.localdate|htmlspecialchars} - permalink</a> - </span>
|
|
{else}
|
|
<span class="linkdate" title="Short link here"><a href="?{$value.linkdate|smallHash}">permalink</a> - </span>
|
|
{/if}
|
|
<div style="position:relative;display:inline;"><a href="http://invx.com/code/qrcode/?code={$scripturl|urlencode}%3F{$value.linkdate|smallHash}&width=200&height=200"
|
|
{if="empty($GLOBALS['disablejquery'])"}onclick="return false;"{/if} class="qrcode"><img src="images/qrcode.png#" width="13" height="13" title="QR-Code"></a></div> -
|
|
<span class="linkurl" title="Short link">{$value.url|htmlspecialchars}</span><br>
|
|
{if="$value.tags"}
|
|
<div class="linktaglist">
|
|
{loop="value.taglist"}<span class="linktag" title="Add tag"><a href="?addtag={$value|urlencode}">{$value|htmlspecialchars}</a></span> {/loop}
|
|
</div>
|
|
{/if}
|
|
</div>
|
|
</li>
|
|
{/loop}
|
|
</ul>
|
|
|
|
{include="linklist.paging"}
|
|
|
|
</div>
|
|
|
|
{include="page.footer"}
|
|
{if="empty($GLOBALS['disablejquery'])"}
|
|
<script>
|
|
$(document).ready(function() {
|
|
$('a.qrcode').click(function(){
|
|
hide_qrcode();
|
|
var link = $(this).attr('href');
|
|
$(this).after('<div class="qrcode" onclick="hide_qrcode();return false;"><img src="'+link+'#" width="200" height="200"><br>click to close</div>');
|
|
});
|
|
});
|
|
function hide_qrcode() { $('div.qrcode').remove(); }
|
|
</script>
|
|
{/if}
|
|
</body>
|
|
</html> |