Filenames aren't sanitized #180
Comments
|
This fix is included in master. Can this issue be closed? |
|
This one has been already committed
|
|
A shame. I've been sitting on this 0-day for over a year now. It can be used to silently gain admin privileges, even without stealing any cookies. I found a few other security vulnerabilities but this was the biggest externally facing one I found from a brief audit. Tinyboard is not even close to the least secure PHP I've seen, but it's definitely not that great. |
|
Not that strong one, unless you were able to upload an image with /
|
|
@czaks Since this was already patched I see no reason not to explain it. But yes, you can upload an image with a (Should be pretty obvious to see how to do it.) Also, in your update message @czaks you say that users can only insert 22 characters of Javascript. If you're clever, you can in fact insert an arbitrary amount. I can confirm that this issue was and is very exploitable and is just like any other persistent XSS. One way of exploiting it is creating a new admin account with a chosen password as soon as any logged in admin visits the board index or the thread containing the XSS. The patch does fix it though. There is also at least one way of gaining arbitrary code execution once you have admin privileges. That means an XSS payload can be used to quickly create a PHP shell on any website running Tinyboard or vichan when an admin visits. |
Title. I fucked over the boards on 4chon.net.
http://puu.sh/9YfNC/a0aab7e262.png
Filename used: < script >alert('hello')</ script >
(I had to put spaces in the script tags so they showed up. Ignore the spaces there)
The problem here is that when you upload a file with that filename, everything after the filename doesn't get displayed. So if you make a thread with an image with the filename you just wiped the whole board and made the other threads/posts invisible.
The text was updated successfully, but these errors were encountered: