Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Filenames aren't sanitized #180

Open
dongmaster opened this issue Jul 5, 2014 · 5 comments
Open

Filenames aren't sanitized #180

dongmaster opened this issue Jul 5, 2014 · 5 comments

Comments

@dongmaster
Copy link

Title. I fucked over the boards on 4chon.net.
http://puu.sh/9YfNC/a0aab7e262.png

Filename used: < script >alert('hello')</ script >

(I had to put spaces in the script tags so they showed up. Ignore the spaces there)

The problem here is that when you upload a file with that filename, everything after the filename doesn't get displayed. So if you make a thread with an image with the filename you just wiped the whole board and made the other threads/posts invisible.

savetheinternet pushed a commit that referenced this issue Jul 8, 2014
@kpcyrd
Copy link

kpcyrd commented Jul 11, 2014

This fix is included in master. Can this issue be closed?

@czaks
Copy link
Contributor

czaks commented Jul 11, 2014

This one has been already committed
11 lip 2014 20:52 "kpcyrd" [email protected] napisał(a):

Can you please create a pull request for this? I think this should be
merged as fast as possible.


Reply to this email directly or view it on GitHub
#180 (comment)
.

@robot34
Copy link

robot34 commented Jul 12, 2014

A shame. I've been sitting on this 0-day for over a year now. It can be used to silently gain admin privileges, even without stealing any cookies.

I found a few other security vulnerabilities but this was the biggest externally facing one I found from a brief audit. Tinyboard is not even close to the least secure PHP I've seen, but it's definitely not that great.

@czaks
Copy link
Contributor

czaks commented Jul 12, 2014

Not that strong one, unless you were able to upload an image with /
character.
12 lip 2014 19:11 "robot34" [email protected] napisał(a):

A shame. I've been sitting on this 0-day for over a year now.

I found a few other security vulnerabilities but this was the biggest
externally facing one I found from a brief audit.


Reply to this email directly or view it on GitHub
#180 (comment)
.

@robot34
Copy link

robot34 commented Jul 12, 2014

@czaks Since this was already patched I see no reason not to explain it.

But yes, you can upload an image with a / character in the filename. See: https://github.com/savetheinternet/Tinyboard/blob/master/post.php#L347

(Should be pretty obvious to see how to do it.)

Also, in your update message @czaks you say that users can only insert 22 characters of Javascript. If you're clever, you can in fact insert an arbitrary amount.

I can confirm that this issue was and is very exploitable and is just like any other persistent XSS. One way of exploiting it is creating a new admin account with a chosen password as soon as any logged in admin visits the board index or the thread containing the XSS. The patch does fix it though.

There is also at least one way of gaining arbitrary code execution once you have admin privileges. That means an XSS payload can be used to quickly create a PHP shell on any website running Tinyboard or vichan when an admin visits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants