New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] XSS in index.php of Phlex and FlexTV #37
Comments
|
So, the XSS stuff was created when I decided it would be neat to make Flex
TV implement a "page manager" feature, where you can add different tabs for
apps directly to the UI.
Unfortunately, I am no longer developing the PHP version of Flex TV. Heck
the linking API has been broken for the better part of a year thanks to
Google and DialogFlow.
As such, I do have plans to re-create the application again, this time in
dotnet. Whenever that comes to fruition, this won't be an issue, simply
because it won't be using PHP any more and probably not feature the "page
manager" bit. Or, if it does, it won't be through hacky iFrame stuff.
…On Sun, Sep 12, 2021 at 9:14 PM Seongil Wi ***@***.***> wrote:
1. Are you hosting your own version of Flex TV, or using the one at
https://app.phlexchat.com?
Yes
2. On what OS are you running Flex TV?
Ubuntu
3. Are you using a new instance of XAMPP, or an existing webserver?
Apache 2.4.29, Turn on the AcceptPathInfo in apache2.conf
3b. If not XAMPP, what WebServer stack are you using?
No
4. Have you enabled the sockets module and ensured PHP has write-access to
the directory containing Flex TV?
Yes
Description:
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute
JavaScript code in the context of the victim’s browser. This may lead to
unauthorized actions being performed, unauthorized access to data, stealing
of session information, denial of service, etc. An attacker needs to coerce
a user into visiting a link with the XSS payload to be properly exploited
against a victim.
Steps To Reproduce:
1. Go to the page with the following link: http://
[server]/FlexTV/index.php/');alert('1
2. Boom!
*Where the Issue Occurred*
The code below displays the user-controlled input PHP_SELF in index.php
without sufficient sanitization:
https://github.com/d8ahazard/FlexTV/blob/247d30d6c6737e517862710188b302d6a72a673c/index.php#L389
For Phlex:
https://github.com/d8ahazard/Phlex/blob/0a87855726cbce49d0ca84c1a7432f7a3a0458e1/index.php#L237
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#37>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAMO4NFRDEPLD37YVGEG6WTUBVM7PANCNFSM5D4YUESA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1. Are you hosting your own version of Flex TV, or using the one at https://app.phlexchat.com?
Yes
2. On what OS are you running Flex TV?
Ubuntu
3. Are you using a new instance of XAMPP, or an existing webserver?
Apache 2.4.29, Turn on the AcceptPathInfo in apache2.conf
3b. If not XAMPP, what WebServer stack are you using?
No
4. Have you enabled the sockets module and ensured PHP has write-access to the directory containing Flex TV?
Yes
Description:
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.
Steps To Reproduce:
Where the Issue Occurred
The code below displays the user-controlled input
PHP_SELFinindex.phpwithout sufficient sanitization:FlexTV/index.php
Line 389 in 247d30d
For Phlex:
https://github.com/d8ahazard/Phlex/blob/0a87855726cbce49d0ca84c1a7432f7a3a0458e1/index.php#L237
The text was updated successfully, but these errors were encountered: