Warning

There are many false positives, or unexploitable vulnerabilities. Please create working "PoC" exploit before reporting anything to vendor!

Details:

Sink Standard::http_build_query
Risk _POST
/social-booster/vendor/jonathantorres/medium-sdk/examples/create_post.php:27 (show/hide source)
7  
8      $credentials['redirect-url'] = 'http://localhost:8888/create_post.php';
9      $medium = new Medium($credentials);
10  
11      if (isset($_GET['code'])) {
12          session_start();
13          $code = $_GET['code'];
14          $medium->authenticate($code);
15          $_SESSION['user'] = $medium->getAuthenticatedUser();
16          $_SESSION['code'] = $code;
17          $_SESSION['token'] = $medium->getAccessToken();
18      }
19  
20      if ($_SERVER['REQUEST_METHOD'] === 'POST') {
21          session_start();
22          $authenticatedUser = $_SESSION['user'];
23  
24          $data = [
25              'title' => $_POST['title'],
26              'contentFormat' => 'html',
27 'content' => $_POST['content'],
28 'publishStatus' => 'draft', 29 ];
Threat level 1

Callstack:

GuzzleHttp\Client::applyOptions /social-booster/vendor/guzzlehttp/guzzle/src/Client.php:310 (show/hide source)
290       */
291      private function applyOptions(RequestInterface $request, array &$options)
292      {
293          $modify = [
294              'set_headers' => [],
295          ];
296  
297          if (isset($options['headers'])) {
298              $modify['set_headers'] = $options['headers'];
299              unset($options['headers']);
300          }
301  
302          if (isset($options['form_params'])) {
303              if (isset($options['multipart'])) {
304                  throw new \InvalidArgumentException('You cannot use '
305                      . 'form_params and multipart at the same time. Use the '
306                      . 'form_params option if you want to send application/'
307                      . 'x-www-form-urlencoded requests, and the multipart '
308                      . 'option to send multipart/form-data requests.');
309              }
310 $options['body'] = http_build_query($options['form_params'], '', '&');
311 unset($options['form_params']); 312 // Ensure that we don't have the header in different case and set the new value.
GuzzleHttp\Client::transfer /social-booster/vendor/guzzlehttp/guzzle/src/Client.php:273 (show/hide source)
253       *
254       * @param RequestInterface $request
255       * @param array            $options
256       *
257       * @return Promise\PromiseInterface
258       */
259      private function transfer(RequestInterface $request, array $options)
260      {
261          // save_to -> sink
262          if (isset($options['save_to'])) {
263              $options['sink'] = $options['save_to'];
264              unset($options['save_to']);
265          }
266  
267          // exceptions -> http_errors
268          if (isset($options['exceptions'])) {
269              $options['http_errors'] = $options['exceptions'];
270              unset($options['exceptions']);
271          }
272  
273 $request = $this->applyOptions($request, $options);
274 $handler = $options['handler']; 275
GuzzleHttp\Client::requestAsync /social-booster/vendor/guzzlehttp/guzzle/src/Client.php:125 (show/hide source)
105          $options[RequestOptions::SYNCHRONOUS] = true;
106          return $this->sendAsync($request, $options)->wait();
107      }
108  
109      public function requestAsync($method, $uri = '', array $options = [])
110      {
111          $options = $this->prepareDefaults($options);
112          // Remove request modifying parameter because it can be done up-front.
113          $headers = isset($options['headers']) ? $options['headers'] : [];
114          $body = isset($options['body']) ? $options['body'] : null;
115          $version = isset($options['version']) ? $options['version'] : '1.1';
116          // Merge the URI into the base URI.
117          $uri = $this->buildUri($uri, $options);
118          if (is_array($body)) {
119              $this->invalidBody();
120          }
121          $request = new Psr7\Request($method, $uri, $headers, $body, $version);
122          // Remove the option so that they are not doubly-applied.
123          unset($options['headers'], $options['body'], $options['version']);
124  
125 return $this->transfer($request, $options);
126 } 127
GuzzleHttp\Client::request /social-booster/vendor/guzzlehttp/guzzle/src/Client.php:131 (show/hide source)
111          $options = $this->prepareDefaults($options);
112          // Remove request modifying parameter because it can be done up-front.
113          $headers = isset($options['headers']) ? $options['headers'] : [];
114          $body = isset($options['body']) ? $options['body'] : null;
115          $version = isset($options['version']) ? $options['version'] : '1.1';
116          // Merge the URI into the base URI.
117          $uri = $this->buildUri($uri, $options);
118          if (is_array($body)) {
119              $this->invalidBody();
120          }
121          $request = new Psr7\Request($method, $uri, $headers, $body, $version);
122          // Remove the option so that they are not doubly-applied.
123          unset($options['headers'], $options['body'], $options['version']);
124  
125          return $this->transfer($request, $options);
126      }
127  
128      public function request($method, $uri = '', array $options = [])
129      {
130          $options[RequestOptions::SYNCHRONOUS] = true;
131 return $this->requestAsync($method, $uri, $options)->wait();
132 } 133
JonathanTorres\MediumSdk\Client::makeRequest /social-booster/vendor/jonathantorres/medium-sdk/src/Client.php:134 (show/hide source)
114              'headers' => [
115                  'Content-Type' => 'application/json',
116                  'Accept' => 'application/json',
117                  'Accept-Charset' => 'utf-8',
118                  'Authorization' => 'Bearer ' . $accessToken,
119              ],
120          ]);
121      }
122  
123      /**
124       * Make a request to medium's api.
125       *
126       * @param string $method
127       * @param string $endpoint
128       * @param array $data
129       *
130       * @return StdClass
131       */
132      public function makeRequest($method, $endpoint, array $data = [])
133      {
134 $response = $this->client->request($method, $endpoint, $data);
135 136 return json_decode((string) $response->getBody());
JonathanTorres\MediumSdk\Medium::createPost /social-booster/vendor/jonathantorres/medium-sdk/src/Medium.php:206 (show/hide source)
186       */
187      public function contributors($publicationId)
188      {
189          return $this->client->makeRequest('GET', 'publications/' . $publicationId . '/contributors');
190      }
191  
192      /**
193       * Create a post on the authenticated user's profile.
194       *
195       * @param string $authorId
196       * @param array $data
197       *
198       * @return StdClass
199       */
200      public function createPost($authorId, array $data)
201      {
202          $requestData = [
203              'form_params' => $data,
204          ];
205  
206 return $this->client->makeRequest('POST', 'users/' . $authorId . '/posts', $requestData);
207 } 208
@INLINE::/social-booster/vendor/jonathantorres/medium-sdk/examples/create_post.php /social-booster/vendor/jonathantorres/medium-sdk/examples/create_post.php:32 (show/hide source)
12          session_start();
13          $code = $_GET['code'];
14          $medium->authenticate($code);
15          $_SESSION['user'] = $medium->getAuthenticatedUser();
16          $_SESSION['code'] = $code;
17          $_SESSION['token'] = $medium->getAccessToken();
18      }
19  
20      if ($_SERVER['REQUEST_METHOD'] === 'POST') {
21          session_start();
22          $authenticatedUser = $_SESSION['user'];
23  
24          $data = [
25              'title' => $_POST['title'],
26              'contentFormat' => 'html',
27              'content' => $_POST['content'],
28              'publishStatus' => 'draft',
29          ];
30  
31          $medium->setAccessToken($_SESSION['token']);
32 $post = $medium->createPost($authenticatedUser->data->id, $data);
33 } 34