Skip to content
This repository has been archived by the owner on Jan 5, 2023. It is now read-only.

Multiple XSS (reflected and stored) #35

Closed
thefLink opened this issue Aug 12, 2017 · 2 comments
Closed

Multiple XSS (reflected and stored) #35

thefLink opened this issue Aug 12, 2017 · 2 comments

Comments

@thefLink
Copy link

Hey,

I found 2 XSS in your application:

1. Reflected XSS in index.php / user_management.php

Your user_management.php is vulnerable to reflected xss
http://127.0.0.1/index.php/%22%3C/a%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
This is because you use $_SERVER['PHP_SELF'] to build links.
reflected

This is verified with the github version as well as with Version: 1.4.6

2. Stored XSS in logfile

Version 1.4.6 from your website is also vulnerable to stored xss by the following request:

GET /index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: <script>alert(123)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1

This is triggered when the administrator opens the log view.
xss_stored

Cheers

patkon added a commit that referenced this issue Aug 14, 2017
@thefLink
Copy link
Author

That fixed the issue in one of your scripts, actually you have the same problem in 36 other files that are likely to be exploitable.

grep -r "PHP_SELF" | wc -l                                                                                                                                                               
36

Another thing in acp/core/user.list.php:

<a class='btn btn-primary' href='$_SERVER[PHP_SELF]?tn=user&sub=list&start=$next_start&sort=$_GET[sort]'>$lang[pagination_forward]</a>

Leads to two xss:

  1. By the php_self usage again
    /acp/acp.php/'><script>alert(123)</script>?tn=user
  2. By $_GET['sort']
    /acp/acp.php?tn=user&sub=list&start=0&sort=asdf'><script>alert(123)</script>'

Furthermore:
Can you confirm the stored xss mentioned above exists in version 1.4.6?

@patkon
Copy link
Member

patkon commented Aug 15, 2017

Thank you for reporting. I will fix this as soon as possible and release 1.4.7

patkon added a commit that referenced this issue Aug 16, 2017
patkon added a commit that referenced this issue Aug 16, 2017
@patkon patkon closed this as completed Jun 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants