Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] XSS in index.php of Phlex and FlexTV #37

Open
seongil-wi opened this issue Sep 13, 2021 · 1 comment
Open

[Security] XSS in index.php of Phlex and FlexTV #37

seongil-wi opened this issue Sep 13, 2021 · 1 comment

Comments

@seongil-wi
Copy link

1. Are you hosting your own version of Flex TV, or using the one at https://app.phlexchat.com?

Yes

2. On what OS are you running Flex TV?

Ubuntu

3. Are you using a new instance of XAMPP, or an existing webserver?

Apache 2.4.29, Turn on the AcceptPathInfo in apache2.conf

3b. If not XAMPP, what WebServer stack are you using?

No

4. Have you enabled the sockets module and ensured PHP has write-access to the directory containing Flex TV?

Yes

Description:

Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

Steps To Reproduce:

  1. Go to the page with the following link: http://[server]/FlexTV/index.php/');alert('1
  2. Boom!

Where the Issue Occurred
The code below displays the user-controlled input PHP_SELF in index.php without sufficient sanitization:

window.history.pushState({}, "Hide", '<?php echo $_SERVER['PHP_SELF'];?>');

For Phlex:
https://github.com/d8ahazard/Phlex/blob/0a87855726cbce49d0ca84c1a7432f7a3a0458e1/index.php#L237

@d8ahazard
Copy link
Owner

d8ahazard commented Sep 13, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants