From dbbc1397c41de56aa3a57c8188d19a345dea5c63 Mon Sep 17 00:00:00 2001 From: Marcus Bointon Date: Wed, 26 Jul 2017 20:02:31 +0200 Subject: [PATCH] Fix XSS vuln in example code: CVE-2017-11503 --- examples/code_generator.phps | 141 ++++++++++++++++++----------------- 1 file changed, 74 insertions(+), 67 deletions(-) diff --git a/examples/code_generator.phps b/examples/code_generator.phps index 23458561..2182663d 100644 --- a/examples/code_generator.phps +++ b/examples/code_generator.phps @@ -58,46 +58,53 @@ class phpmailerAppException extends phpmailerException $example_code .= "\n\nclass phpmailerAppException extends phpmailerException {}"; $example_code .= "\n\ntry {"; +// Convert a string to its JavaScript representation. +function JSString($s) { + static $from = array("\\", "/", "\n", "\t", "\r", "\b", "\f", '"'); + static $to = array('\\\\', '\\/', '\\n', '\\t', '\\r', '\\b', '\\f', '\\"'); + return is_null($s)? 'null': '"' . str_replace($from, $to, "$s") . '"'; +} + try { if (isset($_POST["submit"]) && $_POST['submit'] == "Submit") { - $to = $_POST['To_Email']; + $to = $to_email; if (!PHPMailer::validateAddress($to)) { throw new phpmailerAppException("Email address " . $to . " is invalid -- aborting!"); } - $example_code .= "\n\$to = '{$_POST['To_Email']}';"; + $example_code .= "\n\$to = '" . addslashes($to_email) . "';"; $example_code .= "\nif(!PHPMailer::validateAddress(\$to)) {"; $example_code .= "\n throw new phpmailerAppException(\"Email address \" . " . "\$to . \" is invalid -- aborting!\");"; $example_code .= "\n}"; - switch ($_POST['test_type']) { + switch ($test_type) { case 'smtp': $mail->isSMTP(); // telling the class to use SMTP - $mail->SMTPDebug = (integer)$_POST['smtp_debug']; - $mail->Host = $_POST['smtp_server']; // SMTP server - $mail->Port = (integer)$_POST['smtp_port']; // set the SMTP port - if ($_POST['smtp_secure']) { - $mail->SMTPSecure = strtolower($_POST['smtp_secure']); + $mail->SMTPDebug = (integer)$smtp_debug; + $mail->Host = $smtp_server; // SMTP server + $mail->Port = (integer)$smtp_port; // set the SMTP port + if ($smtp_secure) { + $mail->SMTPSecure = strtolower($smtp_secure); } $mail->SMTPAuth = array_key_exists('smtp_authenticate', $_POST); // enable SMTP authentication? if (array_key_exists('smtp_authenticate', $_POST)) { - $mail->Username = $_POST['authenticate_username']; // SMTP account username - $mail->Password = $_POST['authenticate_password']; // SMTP account password + $mail->Username = $authenticate_username; // SMTP account username + $mail->Password = $authenticate_password; // SMTP account password } $example_code .= "\n\$mail->isSMTP();"; - $example_code .= "\n\$mail->SMTPDebug = " . $_POST['smtp_debug'] . ";"; - $example_code .= "\n\$mail->Host = \"" . $_POST['smtp_server'] . "\";"; - $example_code .= "\n\$mail->Port = \"" . $_POST['smtp_port'] . "\";"; - $example_code .= "\n\$mail->SMTPSecure = \"" . strtolower($_POST['smtp_secure']) . "\";"; + $example_code .= "\n\$mail->SMTPDebug = " . (integer) $smtp_debug . ";"; + $example_code .= "\n\$mail->Host = \"" . addslashes($smtp_server) . "\";"; + $example_code .= "\n\$mail->Port = \"" . addslashes($smtp_port) . "\";"; + $example_code .= "\n\$mail->SMTPSecure = \"" . addslashes(strtolower($smtp_secure)) . "\";"; $example_code .= "\n\$mail->SMTPAuth = " . (array_key_exists( 'smtp_authenticate', $_POST ) ? 'true' : 'false') . ";"; if (array_key_exists('smtp_authenticate', $_POST)) { - $example_code .= "\n\$mail->Username = \"" . $_POST['authenticate_username'] . "\";"; - $example_code .= "\n\$mail->Password = \"" . $_POST['authenticate_password'] . "\";"; + $example_code .= "\n\$mail->Username = \"" . addslashes($authenticate_username) . "\";"; + $example_code .= "\n\$mail->Password = \"" . addslashes($authenticate_password) . "\";"; } break; case 'mail': @@ -118,59 +125,59 @@ try { try { if ($_POST['From_Name'] != '') { - $mail->addReplyTo($_POST['From_Email'], $_POST['From_Name']); - $mail->setFrom($_POST['From_Email'], $_POST['From_Name']); + $mail->addReplyTo($from_email, $from_name); + $mail->setFrom($from_email, $from_name); $example_code .= "\n\$mail->addReplyTo(\"" . - $_POST['From_Email'] . "\", \"" . $_POST['From_Name'] . "\");"; + addslashes($from_email) . "\", \"" . addslashes($from_name) . "\");"; $example_code .= "\n\$mail->setFrom(\"" . - $_POST['From_Email'] . "\", \"" . $_POST['From_Name'] . "\");"; + addslashes($from_email) . "\", \"" . addslashes($from_name) . "\");"; } else { - $mail->addReplyTo($_POST['From_Email']); - $mail->setFrom($_POST['From_Email'], $_POST['From_Email']); + $mail->addReplyTo($from_email); + $mail->setFrom($from_email, $from_email); - $example_code .= "\n\$mail->addReplyTo(\"" . $_POST['From_Email'] . "\");"; + $example_code .= "\n\$mail->addReplyTo(\"" . addslashes($from_email) . "\");"; $example_code .= "\n\$mail->setFrom(\"" . - $_POST['From_Email'] . "\", \"" . $_POST['From_Email'] . "\");"; + addslashes($from_email) . "\", \"" . addslashes($from_email) . "\");"; } if ($_POST['To_Name'] != '') { - $mail->addAddress($to, $_POST['To_Name']); - $example_code .= "\n\$mail->addAddress(\"$to\", \"" . $_POST['To_Name'] . "\");"; + $mail->addAddress($to, $to_name); + $example_code .= "\n\$mail->addAddress(\"$to\", \"" . addslashes($to_name) . "\");"; } else { $mail->addAddress($to); $example_code .= "\n\$mail->addAddress(\"$to\");"; } if ($_POST['bcc_Email'] != '') { - $indiBCC = explode(" ", $_POST['bcc_Email']); + $indiBCC = explode(" ", $bcc_email); foreach ($indiBCC as $key => $value) { $mail->addBCC($value); - $example_code .= "\n\$mail->addBCC(\"$value\");"; + $example_code .= "\n\$mail->addBCC(\"" . addslashes($value) . "\");"; } } if ($_POST['cc_Email'] != '') { - $indiCC = explode(" ", $_POST['cc_Email']); + $indiCC = explode(" ", $cc_Email); foreach ($indiCC as $key => $value) { $mail->addCC($value); - $example_code .= "\n\$mail->addCC(\"$value\");"; + $example_code .= "\n\$mail->addCC(\"" . addslashes($value) . "\");"; } } } catch (phpmailerException $e) { //Catch all kinds of bad addressing throw new phpmailerAppException($e->getMessage()); } - $mail->Subject = $_POST['Subject'] . ' (PHPMailer test using ' . strtoupper($_POST['test_type']) . ')'; - $example_code .= "\n\$mail->Subject = \"" . $_POST['Subject'] . - ' (PHPMailer test using ' . strtoupper($_POST['test_type']) . ')";'; + $mail->Subject = $subject . ' (PHPMailer test using ' . strtoupper($test_type) . ')'; + $example_code .= "\n\$mail->Subject = \"" . addslashes($subject) . + ' (PHPMailer test using ' . addslashes(strtoupper($test_type)) . ')";'; if ($_POST['Message'] == '') { $body = file_get_contents('contents.html'); } else { - $body = $_POST['Message']; + $body = $message; } - $example_code .= "\n\$body = <<<'EOT'\n" . htmlentities($body) . "\nEOT;"; + $example_code .= "\n\$body = <<<'EOT'\n$body\nEOT;"; $mail->WordWrap = 78; // set word wrap to the RFC2822 limit $mail->msgHTML($body, dirname(__FILE__), true); //Create message bodies and embed images @@ -187,7 +194,7 @@ try { $example_code .= "\n\ntry {"; $example_code .= "\n \$mail->send();"; $example_code .= "\n \$results_messages[] = \"Message has been sent using " . - strtoupper($_POST['test_type']) . "\";"; + addslashes(strtoupper($test_type)) . "\";"; $example_code .= "\n}"; $example_code .= "\ncatch (phpmailerException \$e) {"; $example_code .= "\n throw new phpmailerAppException('Unable to send to: ' . \$to. ': '.\$e->getMessage());"; @@ -195,7 +202,7 @@ try { try { $mail->send(); - $results_messages[] = "Message has been sent using " . strtoupper($_POST["test_type"]); + $results_messages[] = "Message has been sent using " . strtoupper($test_type); } catch (phpmailerException $e) { throw new phpmailerAppException("Unable to send to: " . $to . ': ' . $e->getMessage()); } @@ -309,22 +316,22 @@ $example_code .= "\n}"; function startAgain() { var post_params = { - "From_Name": "", - "From_Email": "", - "To_Name": "", - "To_Email": "", - "cc_Email": "", - "bcc_Email": "", - "Subject": "", - "Message": "", - "test_type": "", - "smtp_debug": "", - "smtp_server": "", - "smtp_port": "", - "smtp_secure": "", - "smtp_authenticate": "", - "authenticate_username": "", - "authenticate_password": "" + "From_Name": , + "From_Email": , + "To_Name": , + "To_Email": , + "cc_Email": , + "bcc_Email": , + "Subject": , + "Message": , + "test_type": , + "smtp_debug": , + "smtp_server": , + "smtp_port": , + "smtp_secure": , + "smtp_authenticate": , + "authenticate_username": , + "authenticate_password": }; var resetForm = document.createElement("form"); @@ -374,7 +381,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { echo "
\n"; echo "
Script:\n"; echo "
\n";
-    echo $example_code;
+    echo htmlentities($example_code);
     echo "\n
\n"; echo "\n
\n"; } @@ -390,7 +397,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -399,7 +406,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -408,7 +415,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -417,7 +424,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -428,7 +435,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -439,7 +446,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -448,7 +455,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - @@ -460,7 +467,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { + placeholder="Body of your email"> @@ -531,7 +538,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { @@ -539,7 +546,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { + value="" placeholder="Port"> @@ -560,14 +567,14 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") { - value=""> + value="true"> @@ -575,7 +582,7 @@ if (isset($_POST["submit"]) && $_POST["submit"] == "Submit") {