From 524e10a3eb6959ac13029034c40ab143f9b2f323 Mon Sep 17 00:00:00 2001
From: shwet04 <talktoshweta0@gmail.com>
Date: Wed, 26 Mar 2025 17:03:50 +0530
Subject: [PATCH 1/3] Fix Stored XSS Vulnerability in Debug Toolbar
 (debugbar_time Parameter)!!

This PR addresses a stored XSS vulnerability in the Toolbar.php file of the Debug Toolbar system. The issue arises from improper sanitization and validation of the debugbar_time GET parameter, which is used to construct file paths and read their contents. If an attacker injects malicious JavaScript into a debugbar_*.json file, it could be executed when the debug toolbar is accessed, leading to potential security risks.

Issue Details:
Vulnerability:

The debugbar_time parameter was not properly validated, allowing attackers to inject malicious payloads.
The file contents were directly echoed back to the client without escaping, enabling stored XSS attacks.
Impact:

Session Hijacking: Attackers could steal session cookies of admins or users.
Persistent Malware Injection: Malicious scripts could persist in the debug logs and execute whenever accessed.
Privilege Escalation: If executed in a privileged session, attackers could perform unauthorized actions.

Fix Implemented:
1 . Input Validation: Added a preg_match() check to ensure the debugbar_time parameter only contains alphanumeric characters and underscores (^[a-zA-Z0-9_]+$).
This prevents malicious input from being used to construct file paths.

2. Output Escaping: Used htmlspecialchars() to escape special characters (<, >, ", ', &) in the file contents before echoing them back to the client.
This ensures that any potentially malicious content is rendered harmless in the browser.

3. File Existence and Readability Check:Added a check to ensure the file exists and is readable (is_file() and is_readable()) before attempting to read its contents.

Please review and merge this PR to address the security vulnerability.
---
 system/Debug/Toolbar.php | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/system/Debug/Toolbar.php b/system/Debug/Toolbar.php
index 9a884b60f5b3..6ef8d436bb72 100644
--- a/system/Debug/Toolbar.php
+++ b/system/Debug/Toolbar.php
@@ -484,6 +484,12 @@ public function respond()
         if ($request->getGet('debugbar_time')) {
             helper('security');
 
+            //Validate and sanitize the debugbar_time parameter -- ss
+            $debugbarTime= $request->getGet('debugbar_time');
+            if (!preg_match('/^[a-zA-Z0-9_]+$/', $debugbarTime)) {
+                throw new \InvalidArgumentException('Invalid debugbar_time parameter.');
+            }
+
             // Negotiate the content-type to format the output
             $format = $request->negotiate('media', ['text/html', 'application/json', 'application/xml']);
             $format = explode('/', $format)[1];
@@ -491,18 +497,12 @@ public function respond()
             $filename = sanitize_filename('debugbar_' . $request->getGet('debugbar_time'));
             $filename = WRITEPATH . 'debugbar/' . $filename . '.json';
 
-            if (is_file($filename)) {
+            if (is_file($filename) && is_readable($filename)) {
                 // Show the toolbar if it exists
-                echo $this->format(file_get_contents($filename), $format);
+                echo htmlspecialchars($this->format(file_get_contents($filename), $format), ENT_QUOTES, 'UTF-8');
 
                 exit;
             }
-
-            // Filename not found
-            http_response_code(404);
-
-            exit; // Exit here is needed to avoid loading the index page
-        }
     }
 
     /**

From 79df81f58741e32b6388ae9ef7dc78dcc0e79605 Mon Sep 17 00:00:00 2001
From: shwet04 <talktoshweta0@gmail.com>
Date: Thu, 27 Mar 2025 14:37:18 +0530
Subject: [PATCH 2/3] Update Toolbar.php

---
 system/Debug/Toolbar.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/system/Debug/Toolbar.php b/system/Debug/Toolbar.php
index 6ef8d436bb72..6e8281d31969 100644
--- a/system/Debug/Toolbar.php
+++ b/system/Debug/Toolbar.php
@@ -486,7 +486,7 @@ public function respond()
 
             //Validate and sanitize the debugbar_time parameter -- ss
             $debugbarTime= $request->getGet('debugbar_time');
-            if (!preg_match('/^[a-zA-Z0-9_]+$/', $debugbarTime)) {
+            if (!preg_match('/^\d+(\.\d+)?$/', $debugbarTime)) {
                 throw new \InvalidArgumentException('Invalid debugbar_time parameter.');
             }
 
@@ -503,6 +503,12 @@ public function respond()
 
                 exit;
             }
+
+            // Filename not found
+            http_response_code(404);
+
+            exit; // Exit here is needed to avoid loading the index page
+        }
     }
 
     /**

From 9766359034867f9a066edbf170e3d324b18582ac Mon Sep 17 00:00:00 2001
From: shwet04 <talktoshweta0@gmail.com>
Date: Thu, 27 Mar 2025 15:10:15 +0530
Subject: [PATCH 3/3] Update Toolbar.php

---
 system/Debug/Toolbar.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/system/Debug/Toolbar.php b/system/Debug/Toolbar.php
index 6e8281d31969..c2d47a9c304e 100644
--- a/system/Debug/Toolbar.php
+++ b/system/Debug/Toolbar.php
@@ -484,10 +484,10 @@ public function respond()
         if ($request->getGet('debugbar_time')) {
             helper('security');
 
-            //Validate and sanitize the debugbar_time parameter -- ss
-            $debugbarTime= $request->getGet('debugbar_time');
-            if (!preg_match('/^\d+(\.\d+)?$/', $debugbarTime)) {
-                throw new \InvalidArgumentException('Invalid debugbar_time parameter.');
+            // Validate and sanitize the debugbar_time parameter -- ss
+            $debugbarTime = $request->getGet('debugbar_time');
+            if (! preg_match('/^\d+(\.\d+)?$/', $debugbarTime)) {
+                throw new InvalidArgumentException('Invalid debugbar_time parameter.');
             }
 
             // Negotiate the content-type to format the output