File browser on ``diag_edit.php`` does not encode filenames before display
The file browser on
diag_edit.php does not encode filenames before display.
A user who can create files with arbitrary names can break rendering of the page though exploit potential is minimized by the fact that `/` is not valid in filenames so tags cannot be closed.
A file with the following name can trigger a JS alert:
<img src=src onerror=alert(1)>, for example.
Updated by Jim Pingle about 1 year ago
- Status changed from Resolved to In Progress
- % Done changed from 100 to 90
Someone else reported this isn't completely solved. There is one place where
$fqpn is used without encoding, but the required filename to exploit is different:
touch '"><img src=src onerror=alert(3) foo=foo>'