New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I have find a Reflected XSS vulnerability in this project #20
Comments
|
That's very nice but it's the admin interface; if you wanna break your own party, it's your own damn fault. |
|
@Gargaj yes, it is the admin interface. but a attacker can use this vulnerability to do some harm, because send a evil url to the admin of the website do not need any admin permission. |
|
It's not a website, it's a locally ran web interface, where the admin section is password protected and noone can send requests to it. But don't worry, i'll "fix" it. |
|
@Gargaj tks, i got it |
Hello:
I have find a Reflected XSS vulnerability in this project.
The vulnerability exists due to insufficient filtration of user-supplied data in “id” HTTP parameter that will be passed to “wuhu-master/www_admin/users.php”. The infected source code is line 67, there is no protection on $_GET["id"]; if $_GET["id"] contains evil js code, line 67 will trigger untrusted code to be excuted on the browser side.

So if a attacker construct a special url as follow and send it to a victim, when the victim click the url, the code which is contained in the url will be executed on the victim's browser side to do some evil.
http://your-web-root/wuhu-master/www_admin/users.php?id="><script>alert(1);</script><"
The follow scrrenshot is the result to click the upper url ( win7 spq x64 + firefox 51.0.1 32bit ):

Discoverer: ADLab of Venustech
The text was updated successfully, but these errors were encountered: