starred/pictshare
1
0
Fork 0
mirror of https://github.com/HaschekSolutions/pictshare.git synced 2026-04-25 23:15:51 +03:00
Code Issues 34 Projects Releases Packages Wiki Activity

[GH-ISSUE #133] Possible XSS vulnerability #106

New issue
Closed
opened 2026-02-25 23:40:42 +03:00 by kerem · 7 comments
kerem commented 2026-02-25 23:40:42 +03:00
Owner
Copy link

Originally created by @enferas on GitHub (Nov 11, 2021).
Original GitHub issue: https://github.com/HaschekSolutions/pictshare/issues/133

Hello,

I would like to report for XSS vulnerability.

in api/info.php

function getInfoAboutHash

function getInfoAboutHash($hash)
{
    // ...
        
    return array('hash'=>$hash,'size_bytes'=>$size,'size_interpreted'=>$size_hr,'type'=>$type,'type_interpreted'=>getTypeOfFile($file));
}

line 15

$hash = $_REQUEST['hash'];
// ...
    $answer = getInfoAboutHash($hash);
    $answer['status'] = 'ok';
    exit(json_encode($answer));
// ...

exit function will terminate the script and print the message which has $_REQUEST['hash'].
Then there is XSS vulnerability.

Originally created by @enferas on GitHub (Nov 11, 2021). Original GitHub issue: https://github.com/HaschekSolutions/pictshare/issues/133 Hello, I would like to report for XSS vulnerability. in api/info.php function getInfoAboutHash ```php function getInfoAboutHash($hash) { // ... return array('hash'=>$hash,'size_bytes'=>$size,'size_interpreted'=>$size_hr,'type'=>$type,'type_interpreted'=>getTypeOfFile($file)); } ``` line 15 ```php $hash = $_REQUEST['hash']; // ... $answer = getInfoAboutHash($hash); $answer['status'] = 'ok'; exit(json_encode($answer)); // ... ``` exit function will terminate the script and print the message which has $_REQUEST['hash']. Then there is XSS vulnerability.
kerem closed this issue 2026-02-25 23:40:42 +03:00
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@geek-at commented on GitHub (Nov 11, 2021):

Cannot confirm because the script will return {"status":"err","reason":"File not found"} if the hash is invalid see here because of line 17

But I did find another small bug that if you leave the hash variable out, it was telling you the size of the data folder

image

Thanks!

<!-- gh-comment-id:966518775 --> @geek-at commented on GitHub (Nov 11, 2021): Cannot confirm because the script will return `{"status":"err","reason":"File not found"}` if the hash is invalid [see here](https://pictshare.net/api/info.php?hash=%3Cscript%3Ealert(%27xss%27)%3C/script%3E) because of [line 17](https://github.com/HaschekSolutions/pictshare/blob/master/api/info.php#L17) But I did find another small bug that if you leave the hash variable out, it was telling you the size of the data folder ![image](https://user-images.githubusercontent.com/2073090/141348251-df67cff0-9f1d-48f9-a4fd-ac46af18622f.png) Thanks!
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@enferas commented on GitHub (Dec 2, 2021):

Thank you for the confirmation.

CVE-2021-43683 is assigned to this discovery.

pictshare v1.5 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].

<!-- gh-comment-id:984610482 --> @enferas commented on GitHub (Dec 2, 2021): Thank you for the confirmation. CVE-2021-43683 is assigned to this discovery. pictshare v1.5 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in api/info.php. The exit function will terminate the script and print the message which has $_REQUEST['hash'].
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@geek-at commented on GitHub (Dec 2, 2021):

Do you have a PoC because I can't reproduce as it will just say "file not found" if an invalid hash is supplied

<!-- gh-comment-id:984660817 --> @geek-at commented on GitHub (Dec 2, 2021): Do you have a PoC because I can't reproduce as it will just say "file not found" if an invalid hash is supplied
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@enferas commented on GitHub (Dec 9, 2021):

Thank you for your response.

Specific values can pass the json_encode.
This example give an alert with me.

<?php
$output = ["A"=>"<img src='#' onerror=alert(1)>","B"=>"Safe"];
echo json_encode($output);
<!-- gh-comment-id:990289094 --> @enferas commented on GitHub (Dec 9, 2021): Thank you for your response. Specific values can pass the json_encode. This example give an alert with me. ```php <?php $output = ["A"=>"<img src='#' onerror=alert(1)>","B"=>"Safe"]; echo json_encode($output); ```
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@geek-at commented on GitHub (Dec 10, 2021):

You do realize that the bug was fixed 3 years before you opened the CVE, right? Pictshare 1.5 was released in 2018

<!-- gh-comment-id:990437364 --> @geek-at commented on GitHub (Dec 10, 2021): You do realize that the bug was fixed 3 years before you opened the CVE, right? Pictshare 1.5 was released in 2018
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@vitalijalbu commented on GitHub (Dec 10, 2021):

@geek-at would be better if you add releases on this repo, so people can easily ask questions and open issues.

<!-- gh-comment-id:990707022 --> @vitalijalbu commented on GitHub (Dec 10, 2021): @geek-at would be better if you add releases on this repo, so people can easily ask questions and open issues.
kerem commented 2026-02-25 23:40:43 +03:00
Author
Owner
Copy link

@geek-at commented on GitHub (Dec 10, 2021):

I'm open to pull requests if you want to automate it on every push. At the moment the "releases" are basically what's on docker hub.

Rolling updates I find more suitable for a project of this scope because it's easier to manage and faster to update with a git pull if you don't want to use the docker image

<!-- gh-comment-id:990740226 --> @geek-at commented on GitHub (Dec 10, 2021): I'm open to pull requests if you want to automate it on every push. At the moment the "releases" are basically what's on [docker hub](https://hub.docker.com/repository/docker/hascheksolutions/pictshare/tags?page=1&ordering=last_updated). Rolling updates I find more suitable for a project of this scope because it's easier to manage and faster to update with a git pull if you don't want to use the docker image
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
dependabot/composer/src/lib/phpunit/phpunit-12.5.22
v3
v2
v3.0.7
v3.0.6
v3.0.5
v3.0.4
v3.0.3
v3.0.2
v3.0.1
v3.0.0
v2.0.3
v2.0.2
v2.0.1
v2.0.0
1.5
v1.1
1.0
Labels
Clear labels   
Feature request

   
Feature request

   
bug

   
cant reproduce

   
enhancement

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
wontfix
No labels
Feature request
Feature request
bug
cant reproduce
enhancement
help wanted
pull-request
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/pictshare#106
No description provided.