Cross-site scripting vulnerabilities in PHP #58
Description
Hi,
Our IT department regularly scans all public servers for vulnerabilities. Normally, these are some AI-based tools that look for missed updates or bad configurations.
This time, they found a problem, and I managed to replicate it.
So in views/search.php, you directly output the imperialUnits HTTP POST variable into the html document that is being sent back to the client.
Now, normally, this should only be a boolean, but I can literally put anything into it, and it will be in the html document as if it was part of the server's code.
I fixed this by adding a simple sanity check. I declared this into a boolean, where the value is 0 when it is set to 0 or 1 if anything else is set.
So, no matter what you supply as the value of imperialUnits, it will always be either 0 or 1 in the html document.
I would create a pull request, but I kind of butchered your code to fit our needs and it no longer can be merged.
Essentially I did:
$use_imperial_units = ($_GET['imperialUnits'] != 0) ? 1 : 0;...and further down, instead of:
<a class="tdlink" href="/views/overview.php?id=<?php echo $foundStation->id; ?>&imperialUnits=<?php echo $_GET['imperialUnits'] ?? 0; ?>"><?php echo htmlentities($foundStation->name) ?></a>
.
.
.
loadView('/views/search.php?imperialUnits=<?php echo $_GET['imperialUnits'] ?? '0'; ?>&q=' + q + '&seconds=' + seconds);I did
<a class="tdlink" href="/views/overview.php?id=<?php echo $foundStation->id; ?>&imperialUnits=<?php echo $use_imperial_units ?>"><?php echo htmlentities($foundStation->name) ?></a>
.
.
.
loadView('/views/search.php?imperialUnits=<?php echo $use_imperial_units ?>&q=' + q + '&seconds=' + seconds);I did a brief test and now it behaves as it should. While this is a fairly minor problem (you'll need to click on a 'poisoned' link in order for a third-party script to be run), it will probably be flagged up as an issue for all implementations eventually.
(edit: 'sent back to the client', and I found some typos)