[PR #511] [MERGED] Security Fix for XSS - huntr.dev #997

New issue

Closed

opened 2026-03-02 16:02:40 +03:00 by kerem · 0 comments

kerem commented

2026-03-02 16:02:40 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/prasathmani/tinyfilemanager/pull/511
Author: @huntr-helper
Created: 3/22/2021
Status: ✅ Merged
Merged: 3/22/2021
Merged by: @prasathmani

Base: master ← Head: 1-other-tinyfilemanager

📝 Commits (2)

b5e2509 Fixed 3 sinks which caused XSS in filename
221c92c Merge pull request #1 from purecarnage/fix-xss-in-filename

📊 Changes

1 file changed (+3 additions, -3 deletions)

View changed files

📝 tinyfilemanager.php (+3 -3)

📄 Description

@purecarnage (https://huntr.dev/users/purecarnage) has fixed a potential XSS vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below...

Q | A
Version Affected | *
Bug Fix | YES
Original Pull Request | https://github.com/418sec/tinyfilemanager/pull/1

If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @purecarnage, the discloser found in the bounty URL (below) and @huntr-helper.

User Comments:

📊 Metadata

Bounty URL: https://www.huntr.dev/bounties/1-other-tinyfilemanager/

⚙️ Description

An XSS vulnearbility was reported in huntr.dev at the link given above.
This was fixed by using fm_enc() function to encode html characters.

💻 Technical Description

The issue was caused at three locations (sinks). The fix was simple, wrap the output string with fm_enc()

🐛 Proof of Concept (PoC)

Just upload a file with filename: "><img src=x onerror=alert(222)>.png.
Go back to homepage, you'll see three alert boxes.

Here's a GIF by the reporter: https://drive.google.com/file/d/1t2afWVrLu_mb_S69n6d4SbLHOziuEeuZ/view?usp=sharing

🔥 Proof of Fix (PoF)

I've replayed the same payload, it will not pop an alert box as before.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/prasathmani/tinyfilemanager/pull/511 **Author:** [@huntr-helper](https://github.com/huntr-helper) **Created:** 3/22/2021 **Status:** ✅ Merged **Merged:** 3/22/2021 **Merged by:** [@prasathmani](https://github.com/prasathmani) **Base:** `master` ← **Head:** `1-other-tinyfilemanager` --- ### 📝 Commits (2) - [`b5e2509`](https://github.com/prasathmani/tinyfilemanager/commit/b5e250917a4212c1d06a1787097c79df2e92a49f) Fixed 3 sinks which caused XSS in filename - [`221c92c`](https://github.com/prasathmani/tinyfilemanager/commit/221c92c880a7d3d24532392b137703606c61f8f4) Merge pull request #1 from purecarnage/fix-xss-in-filename ### 📊 Changes **1 file changed** (+3 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `tinyfilemanager.php` (+3 -3) </details> ### 📄 Description @purecarnage (https://huntr.dev/users/purecarnage) has fixed a potential XSS vulnerability in your repository 🔨. For more information, visit our website (https://huntr.dev/) or click the bounty URL below... Q | A Version Affected | * Bug Fix | YES Original Pull Request | https://github.com/418sec/tinyfilemanager/pull/1 If you are happy with this disclosure, we would love to get a CVE assigned to the vulnerability. Feel free to credit @purecarnage, the discloser found in the bounty URL (below) and @huntr-helper. ### User Comments: ### 📊 Metadata #### Bounty URL: https://www.huntr.dev/bounties/1-other-tinyfilemanager/ ### ⚙️ Description An XSS vulnearbility was reported in huntr.dev at the link given above. This was fixed by using `fm_enc()` function to encode html characters. ### 💻 Technical Description The issue was caused at three locations (sinks). The fix was simple, wrap the output string with `fm_enc()` ### 🐛 Proof of Concept (PoC) - Just upload a file with filename: `"><img src=x onerror=alert(222)>.png`. - Go back to homepage, you'll see three alert boxes. Here's a GIF by the reporter: [https://drive.google.com/file/d/1t2afWVrLu_mb_S69n6d4SbLHOziuEeuZ/view?usp=sharing](https://drive.google.com/file/d/1t2afWVrLu_mb_S69n6d4SbLHOziuEeuZ/view?usp=sharing) ### 🔥 Proof of Fix (PoF) I've replayed the same payload, it will not pop an alert box as before. ![tfm-fix](https://user-images.githubusercontent.com/81140508/111952851-bdca8780-8b0b-11eb-8443-4499b44c7ce2.gif) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>