- MikroTik Hotspot Monitor is a web-based application (MikroTik API class PHP) to help manage MikroTik Hotspots. Especially MikroTik which doesn't support User Manager. Mikhmon is not a radius server, so it doesn't have to be active all the time. Mikhmon can be activated when needed or as needed.
- https://github.com/laksa19/mikhmonv3
- https://github.com/marketplace/dailylepedia
- The vulnerability in Mikhmon arises from the "include/menu.php" file in the source code of the software.
-
Since there is no filtering or precautions in the "set-theme=" and "setlang=" variables, an XSS Vulnerability occurs.
-
Additionally, the vulnerability can be triggered without any session.
-
https://github.com/search?q=repo%3Alaksa19%2Fmikhmonv3%20set-theme%3D&type=code
-
https://github.com/search?q=repo%3Alaksa19%2Fmikhmonv3+setlang%3D&type=code
-
http://MIKHMON/admin.php?set-theme=<script>alert(document.cookie)</script>
-
http://MIKHMON/admin.php?setlang=<script>alert(document.cookie)</script>
-
When you go to the URLs above, you can see that the vulnerability has been triggered and is in the source code.
- Additionally, the software is used very actively.
- https://www.zoomeye.org/searchResult?q=MIKHMON