Filenames aren't sanitized

Question

Filenames aren't sanitized

dongmaster opened this issue 10 years ago · comments

Title. I fucked over the boards on 4chon.net.
http://puu.sh/9YfNC/a0aab7e262.png

Filename used: < script >alert('hello')</ script >

(I had to put spaces in the script tags so they showed up. Ignore the spaces there)

The problem here is that when you upload a file with that filename, everything after the filename doesn't get displayed. So if you make a thread with an image with the filename you just wiped the whole board and made the other threads/posts invisible.

kpcyrd · Answer 1 · Sat Jul 12 2014 02:51:52 GMT+0800 (China Standard Time)

This fix is included in master. Can this issue be closed?

Marcin Łabanowski · Answer 2 · Sat Jul 12 2014 07:07:48 GMT+0800 (China Standard Time)

This one has been already committed
11 lip 2014 20:52 "kpcyrd" notifications@github.com napisał(a):

Can you please create a pull request for this? I think this should be
merged as fast as possible.

—
Reply to this email directly or view it on GitHub
#180 (comment)
.

robot34 · Answer 3 · Sun Jul 13 2014 01:11:17 GMT+0800 (China Standard Time)

A shame. I've been sitting on this 0-day for over a year now. It can be used to silently gain admin privileges, even without stealing any cookies.

I found a few other security vulnerabilities but this was the biggest externally facing one I found from a brief audit. Tinyboard is not even close to the least secure PHP I've seen, but it's definitely not that great.

Marcin Łabanowski · Answer 4 · Sun Jul 13 2014 01:38:36 GMT+0800 (China Standard Time)

Not that strong one, unless you were able to upload an image with /
character.
12 lip 2014 19:11 "robot34" notifications@github.com napisał(a):

A shame. I've been sitting on this 0-day for over a year now.

I found a few other security vulnerabilities but this was the biggest
externally facing one I found from a brief audit.

—
Reply to this email directly or view it on GitHub
#180 (comment)
.

robot34 · Answer 5 · Sun Jul 13 2014 02:12:01 GMT+0800 (China Standard Time)

@czaks Since this was already patched I see no reason not to explain it.

But yes, you can upload an image with a / character in the filename. See: https://github.com/savetheinternet/Tinyboard/blob/master/post.php#L347

(Should be pretty obvious to see how to do it.)

Also, in your update message @czaks you say that users can only insert 22 characters of Javascript. If you're clever, you can in fact insert an arbitrary amount.

I can confirm that this issue was and is very exploitable and is just like any other persistent XSS. One way of exploiting it is creating a new admin account with a chosen password as soon as any logged in admin visits the board index or the thread containing the XSS. The patch does fix it though.

There is also at least one way of gaining arbitrary code execution once you have admin privileges. That means an XSS payload can be used to quickly create a PHP shell on any website running Tinyboard or vichan when an admin visits.