found Multiple issues

[paragbagul111]

file upload issue:https://huntr.dev/bounties/a993a05f-be50-4983-a44a-3bbff1ec00db/
directory traversal:https://huntr.dev/bounties/4ca6d3c1-b3cf-4c64-b8ea-4977a474d725/
csrf:https://huntr.dev/bounties/b30ef7b0-74ea-4cac-adc4-1cc8a5cb559e/

cross site scripting:https://huntr.dev/bounties/a38bb7c5-7e17-4a65-8b43-04e4024febaf/
Offered support requested from Parag Bagul

[azett]

Thanks for reporting, we'll look into it!

[paragbagul111]

Okay, I reported these issues four months ago, and I have still not received a response for my report

[paragbagul111]

Hello team,

How many days will it take to patch the vulnerabilities? I have provided secure code snippets and detailed functions for patching the vulnerability. Could you please check my replies on huntr.dev?

Parag Bagul
Security Researcher

[Fraenkiman]

Hello Parag Bagul,

thanks for asking and for your code snippets.
We are committed to investigate and fix all vulnerabilities as soon as possible. Currently, we are still working on milestone 3. Please excuse that we therefore can't say how many days it will take to close the vulnerabilities.

FlatPress is maintained in spare time by a cheerful group of volunteer developers. We would be happy if you join us as a developer, derive a fork of FlatPress and support us with pull requests for further development.

With best regards
Frank

[Fraenkiman]

Idea:

// Define allowed characters in filename /input field
   $allowed_chars_regex = "/^[a-zA-Z0-9_\-\.]+$/";

This is to prevent the filename/input field and its extension from containing special characters like < > () =.

For email_address input:
^(([A-Za-z0-9]+_+)\|([A-Za-z0-9]+\-+)\|([A-Za-z0-9]+\.+)\|([A-Za-z0-9]+\++))*[A-Za-z0-9]+@((\w+\-+)\|(\w+\.))*\w{1,63}\.[a-zA-Z]{2,6}$

It verifies that:

• Only letters, numbers and email acceptable symbols (+, _, -, .) are allowed
• No two different symbols may follow each other
• Cannot begin with a symbol
• Ending domain must be at least 2 letters
• Supports subdomains
• TLD must be between 2 and 6 letters (Ex: .ca, .museum)
• Only (-) and (.) symbols are allowed in domain, but not consecutively.
  Matches: g_s+gav@com.com | gav@gav.com | jim@jim.c.dc.ca
  Non matches: gs_.gs@com.com | gav@gav.c | jim@--c.ca

[paragbagul111]

Dear Frank

use below codes for prevent file upload xss vulnerability:

Vulnerability poc:
https://huntr.dev/bounties/a993a05f-be50-4983-a44a-3bbff1ec00db/

1.Sanitize User Input:
Always sanitize and validate any user-provided input, including file names. Use PHP's filter_var function with the FILTER_SANITIZE_STRING filter to remove any potentially dangerous characters from the file name.

$file_name = filter_var($_POST['file_name'], FILTER_SANITIZE_STRING);

2.Validate File Names:
Additionally, you should validate file names to ensure they meet your application's requirements. You can use regular expressions to define a pattern that a valid file name must match. For example, you might only allow alphanumeric characters, underscores, and hyphens:

if (!preg_match('/^[a-zA-Z0-9_-]+$/', $file_name)) {
// Invalid file name; handle the error appropriately
die("Invalid file name");
}

3.Escape Output:
When you display the file name in HTML, make sure to properly escape it using htmlspecialchars to prevent any potential XSS attacks:

echo htmlspecialchars($file_name, ENT_QUOTES, 'UTF-8');

This will encode characters like <, >, and & into their respective HTML entities, making them safe for display in HTML.

[Fraenkiman]

@azett ,

normally I assign these preventions to basic filesystem handling. Does the uploader use this core module?

• cross-site scripting (XSS) in the FlatPress installer in the parameter username // closed with Prevents cross-site scripting (XSS) in the parameter username, Error messages now multilingual #261
• file upload xss vulnerability // closed with This closes #220 (file upload xss vulnerability) #461

[paragbagul111]

Dear Team,

I have shared all my recommendations, including code snippets, for addressing the patch file upload XSS vulnerability. You can access the full report on huntr.dev at the following link: https://huntr.dev/bounties/a993a05f-be50-4983-a44a-3bbff1ec00db/.

Additionally, I kindly request that you review my findings related to the Cross-Site Scripting (XSS) issue in the Flatpress installer parameter's username field. The detailed report is available here: https://huntr.dev/bounties/a38bb7c5-7e17-4a65-8b43-04e4024febaf/.

I kindly request that you promptly close these issues, and I would also appreciate your assistance in assigning a CVE number for the resolved vulnerabilities. Your swift action in this matter would be highly valuable.

Thank you for your attention and support.

Best Regards,

Parag Bagul
Security Researcher

[paragbagul111]

Dear Team,

Any update when i suppose to receive the cve number for resolve vulnerabilities ?

Best regards
parag bagul

[paragbagul111]

Dear @Fraenkiman

can i request cve from cve mitra for cross site scripting vulnerabilty that is patched by you.

Best regards,
Parag Bagul

[paragbagul111]

Dear @Fraenkiman

can i request cve from cve mitra for cross site scripting vulnerabilty that is patched by you. in huntr.dev you have created private advisery can i request cve from my side

Best regards,
Parag Bagul

[paragbagul111]

Dear @Fraenkiman

can i request cve from cve mitra for cross site scripting vulnerabilty that is patched by you. in huntr.dev you have created private advisery can i request cve from my side

can you please assign cve number for patched vulnerabilities

Best regards,
Parag Bagul

[paragbagul111]

Hi,

I reported vulnerabilities a year ago that have been patched. Could you please assign CVE numbers for these vulnerabilities?

Best regards,
Parag Bagul

[paragbagul111]

Hii @Fraenkiman

can you please review these finding as well because i reported these vulnerabilities one year ago.

Best regards
Parag Bagul