• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space
  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

!CRITICAL! - XSS vulnerability

Status
Not open for further replies.
Gatses

Gatses

Chevereto Member
Hello.
I just found a bug while Chevereto making a meta tags for a image page.
Problem:
Description keeps in database "as is" (with html tags). And while chevereto formats meta tags it just takes meta tags from DB and puts it into the meta.
You can see XSS attack example there: http://demo.chevereto.com/image/rEe

How to fix it:
Go to /var/www/chevy/app/themes/Peafowl/header.php (It's standart Chevereto theme)

Find this code:

PHP: 
foreach($open_graph  as $k => $v) {
    if(!$v) continue;
    echo '<meta property="og:'.$k.'" content="'. $v .'">'."\n";
}

And replace with this one:

PHP: 
foreach ($open_graph  as $k => $v) {
    if(!$v) continue;
    echo '<meta property="og:'.$k.'" content="' . strip_tags($v) . '">'."\n";
}
It's HIGHTLY CRITICAL BUG, I strongly recommend all users to do it right now.

@Rodolfo Please fix this one asap and sorry for publishing it into public access. I think your users must know about it.
 
Last edited:
Your patch is incomplete. Actually the meta tag thing will trigger the javascript execution only on selected browsers, the real problem is in the full-info display which is only available to admin, and I've already applied a patch for this issue in version 3.5.16 so if someone already downloaded 3.5.16 simply re-download and replace:

Code: 
app/themes/Peafowl/header.php
app/themes/Peafowl/views/image.php
app/themes/Peafowl/views/album.php
 
Last edited:
Status
Not open for further replies.
Back
Top