Skip to content

Instantly share code, notes, and snippets.

Last active Sep 22, 2022
What would you like to do?
XSS vulnerability in Razor

XSS vulnerability in Razor project version 0.8.0

The path of the vulnerability.

In file

//line 98
function uploadchannel()
        $platform = $_POST['platform'];
        $channel = $this->channel->getchanbyplat($platform);
        echo json_encode($channel);

In file razor/web/application/models/channelmodel.php

 function getchanbyplat($platform) 
//line 421
function getchanbyplat($platform)
        $sql="select * from  ".$this->db->dbprefix('channel')."  where active=1 and platform='$platform' and type='system' union 
        select * from  ".$this->db->dbprefix('channel')."  where active=1 and platform='$platform' and type='user'and user_id=$userid"; 
        $query = $this->db->query($sql);
        if ($query!=null&&$query->num_rows()>0) {
                return $query->result_array();
          return null; 

We can see that the $platform variable is used inside the the sql query without sanitization. So the attacker can use the UNION command inside the platform to join a harmful input to the results of the query. For example: $platform = 'something' UNION select '<script>alert(document.cookie)<\script>' AS '.

Thus the XSS will happen at echo json_encode($channel);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment