zhimengzhe / ibarn Goto Github PK

iBarn SkyDrive provides file network backup, synchronization and sharing service. This system can resume upload and down file and if someone uploads one file when you upload it too, it needn't upload any more, directly upload success. You can choose file download to local or online collection. The recycle bin function to prevent users from accidentally deleted data. While providing customized services, and the two development. the intention to contact by email [email protected] or QQ 451802973.iBarn网盘，功能强大，堪比百度网盘

Home Page: http://www.godeye.org

License: Apache License 2.0

PHP 6.13% JavaScript 46.80% CSS 5.98% HTML 39.77% ActionScript 0.16% Shell 0.08% Makefile 0.01% CoffeeScript 0.82% Go 0.07% Python 0.05% Hack 0.01% TSQL 0.13%

ibarn's People

Contributors

Stargazers

Watchers

Forkers

joliny alexguo88 swg0110 wxb5859297 zhaiyijun ccczone cnphplib sukui stevenliuit ericlin315 robot0x bingshi j717273419 jzxyouok paulnew meilunzhi lovecn zhenhuamcu waiducom badxchen xpchg jkl09 myl142857 mway08 im286er mrzeta dlpc djhuixd xrogzu zero-y hqgaofeng bobiscool station19 luckfan terminiter wangjun eramisilkan fhchina dluobo ayasecore zihua kmlxk falseor guoyu07 yang22t myphptools 545191228 rabbiesamurai xinghen91 skykain syl5005 seajean ledudu skylei ancon xiaoyunge byesoft yinweizhuzhu zhangchaoquan bd0831 ashidamana jackylau0219 jeryhu xldc-nk naruto2902git 253874 barryzpc wenwenyu guoguowei ak1343794853 zhangrui2016 gdbdzgd fusky weichangdong 1099438829 superroshan riddle911 kissthink victorshare bluarry gdiceboy 502647092 luckyjianxin cquliaoli huazhipeng myphproad lq5631 bumblezhou del-xiong roche85 yankaics lookphp joyiframe xcorp1986 lin0244 1126729585 leichaojiayou jacklin xin2893 q312700254

ibarn's Issues

当文件名为中文的时候无法进行下载

当文件名为中文，点击下载会服务器500错误。

程序存在兼容性问题

sql语句存在兼容性问题我的mysql版本5.7.16 PHP7.1
表中的time字段 DEFAULT '0000-00-00 00:00:00' 会报错导致无法安装为什么不用int 存时间戳呢?
分享提示操作失败我等下去看下是啥问题
客户端运行没反应... win7 x64

iBarn v1.5 has a reflected XSS vulnerability

Summary

A reflected Cross Site Scripting (XSS) vulnerability exists in iBarn v1.5 due to improper sanitization of the $search parameter in the html/index.php, html/pay.php, and html/own.php files. Although the htmlspecialchars function is used to encode HTML entities, the developers utilized the flag ENT_NOQUOTES, which does not encode single or double quotes, leading to the vulnerability.

Details

The misuse of the htmlspecialchars function allows the injection of JavaScript code into the search field, which can be exploited for XSS attacks.

html/index.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">

html/pay.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="搜你想要">

html/own.php:

   <input type="text" class="form-control" id="search" name="search" value="<?php echo htmlspecialchars($_REQUEST['search'], ENT_NOQUOTES); ?>" placeholder="<?php echo t('搜你想要'); ?>">

Proof of Concept (PoC)

http(s)://ip:port/index.php?search=1%22%20onmouseover=alert(document.cookie)%20bad=%221

Differentiation from CVE-2024-26471

This vulnerability is distinct from CVE-2024-26471 as it specifically targets the $search parameter processed through the htmlspecialchars function and then bypasses filtering.
Although CVE-2024-26471 only mentioned that the search field in html/offer.php lacks any filtering, our investigation revealed that several other pages (shareme.php, recycle.php, collection.php, pub.php, myshare.php) also do not filter the $search parameter, leading to multiple cross-site scripting (XSS) vulnerabilities.

There is a Arbitrary File Upload vulnerability that can upload a php file and be executed.

you can upload any file as avatar at " /index.php?m=user&a=avatar". Althought the server's response show that you are fail to set avatar, but the file was uploaded,And the file can be easily to locate by uid which shows in your cookies.

/action/Core.class.php

 public function upload() {
        if (!$_REQUEST['uid']) {
            echo Response::json(LACK, array(tip('用户ID不能为空')));
            exit;
        }
        $_REQUEST['name'] = self::filterName(rawurldecode(self::trimSpace($_REQUEST['name'])));
        if (!$_REQUEST['name']) {
            echo Response::json(LACK, array(tip('文件名不能为空')));
            exit;
        }
        if (!$_REQUEST['type']) {
            if (!file_exists(DATA_DIR)) {
                $res = mkdir(DATA_DIR, 0777, true);
                if (!$res) {
                    echo Response::json(FAIL, array(tip('存储目录创建失败')));
                    exit;
                }
            }
        }
        if (!file_exists(UP_DIR)) {
            $res = mkdir(UP_DIR, 0777, true);
            if (!$res) {
                echo Response::json(FAIL, array(tip('存储目录创建失败')));
                exit;
            }
        }
        include LIB_PATH . 'plupload' . DS . 'PluploadHandler.php';
        PluploadHandler::no_cache_headers();
        PluploadHandler::cors_headers();
        if (!PluploadHandler::handle(array(
            'target_dir' => UP_DIR,
            //'allow_extensions' => 'jpg,jpeg,png'
        ))) {
            echo Response::json(FAIL, array(tip('上传失败')));
            exit;
        } else {
            echo Response::json(SUCC, array(tip('上传成功')));
        }
    }

if I logined uid is 185 and my upload filename is backdoor.php. Then http://mywebsite.com/files/18/05/backdoor.php is my really backdoor.

what's more:
I think the line "//'allow_extensions' => 'jpg,jpeg,png'" is not good to be commented.