Creating a gist sharing website using php and finding and fixing it’s security issue.

Github allows you to share your standalone code on gist.github.com , and it has a function that allows you to share your code on website or other platform using <script>. So I thought lets create a website , where everyone can share there github gist without any authentication and without using any database , ok this is little rough , we are gonna use text file with different extension to store those gist link.

Lets See how github allows us to share gist on our own website or other blogging platform.

lets see its preview after copying this embed code.

So lets Create a simple page where anyone can share their gist by only using username/gist_uid , One Thing is common in this github script embed <script src=”https://gist.github.com/username/gist_uid.js"></script> to add this gist to our webpage we just need to add our gist link and add a js in last in src attribute.

Lets create a form where any user can submit their gist, we can do that using post method on php.

First lets create a simple html form. We are gonna get two input from user first one is their gist title and the second one is their gist link.

We have used $_SEVER[“PHP_SELF”] , so the form post data in the same page.after running it on the server , output will be something the picture bellow.

But There is a issue , some time the php_self grubs the full php script name with something added to it , example if i type localhost/x.php?hi it will show something like the image bellow

it directly reflects the string added with the main script,this could lead to the webpage to reflected xss , lets try to do that our-self, lets add a simple payload with the main self script localhost/x.php?”><script>alert(1)</script>

So it executes the script we added without touching the main source of the website , by using ?”><script>alert(1)</script> , so any one could have done it .

Now Lets fix this issue , by using a simple php inbuilt function named htmlentities so if any malicious user tries to do these kind of things, their html payload will be encoded.

Now Lets write our code with it and add same payload to see if it gets executed or encoded.

Nope its get encoded . So their is no chance attacker could execute their full html tag /dom based tag, if they try to do it their html code/chars will get encoded .

after creating the form our new target is to create a php script that receives the input from the form. Its simple.

Here comes the interesting part , at first i declared that i am not gonna use any database to store the gist link. As alternative we can store all the users input in a text file with a complicated extension. lets save the output to a file and title will be the filename ,so when we display our gist on our webpage it also shows the title of the gist .Lets Write this simple code.

Explanation for this code is simple , it gets the user input and use the title as filename and save the gist link inside of the file on a folder named code with snippets extension.So we are done with the form. Now We have to find a way to read all those saved files and show them to my website. First lets use glob function to scan code directory to list all the file with .snippets extension. There could be multiple file on the directory lets create a php function with for loop so that we can read all the file name on the code directory with .snippets extension.

now lets read those file to get the link from the file and add the link inside script tag to make the gist visible to my website.

But There is a problem here , if an malicious user closes the script tag and add something on there it will mostly be like stored xss. lets sanitize the contents inside of the file with htmlentities.

On the first part we used the title as filename , lets show the title on the top of the gist .But the filename contains the snippets extension so lets replace this extension with space.and lets remove code/ from the filename , the glob will contain the full path after scanning.

Replace the $code to $filename

But if the filename contains any html char , our browser will render these char , those can also lead it to stored xss with file title . lets sanitize those with htmlentites.

Replace the $code to $filename

Output will look something like the image bellow.

You Can see the live Demo at code.system00-sec.com or you can download the source code from https://github.com/System00-Security/gist-share-php

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store