Possible XSS vulnerability

[enferas]

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/ZeroDream-CN/SakuraPanel/blob/master/core/PostHandler.php

line 87

$result = $pm->checkRules($_POST);

In function checkRules

public function checkRules($data)
{
                // ....
		if($this->isProxyNameExist($data['proxy_name'])) {
			return Array(false, "隧� {$data['proxy_name']} 已存在，请使用其他�字");
		}
               // ....
}

line 96

$msg = $result[1] ?? "未知错误";
exit($msg);

exit will terminate the script and print the message which have the value $data['proxy_name']. Then there is XSS vulnerability

[enferas]

CVE-2021-43681 is assigned to this vulnerability.

SakuraPanel v1.0.1.1 is affected by is affected by a Cross Site Scripting (XSS) vulnerability in /master/core/PostHandler.php. The exit function will terminate the script and print the message $data['proxy_name'].

[kasuganosoras]

Thanks for the report, this vulnerability is fixed in 5272615

[enferas]

Thank you for the confirmation.

Two similar possible vulnerabilities in the same file

// *** Vulnerability 1
// line 357
exit($markdown->text($_POST['data']));

// *** Vulnerability 2
// line 368
exit("Undefined action {$params['action']}");
// when the source is coming from core/Router.php
// line 10
$phdle->switcher($_GET);

[kasuganosoras]

The $markdown->text() is safe, it will remove any HTML tags.

The second place is also safe, because it has been filtered by regular expressions:

// https://github.com/ZeroDream-CN/SakuraPanel/blob/master/core/PostHandler.php#L12
if(isset($params['action']) && preg_match("/^[A-Za-z0-9\_\-]{1,20}$/", $params['action'])) {
	switch($params['action']) {
	...
		default:
			exit("Undefined action {$params['action']}");
	}
}