Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple XSS (reflected and stored) #35

Open
thefLink opened this issue Aug 12, 2017 · 2 comments

Comments

Projects
None yet
2 participants
@thefLink
Copy link

commented Aug 12, 2017

Hey,

I found 2 XSS in your application:

1. Reflected XSS in index.php / user_management.php

Your user_management.php is vulnerable to reflected xss
http://127.0.0.1/index.php/%22%3C/a%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
This is because you use $_SERVER['PHP_SELF'] to build links.
reflected

This is verified with the github version as well as with Version: 1.4.6

2. Stored XSS in logfile

Version 1.4.6 from your website is also vulnerable to stored xss by the following request:

GET /index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: <script>alert(123)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Connection: close
Upgrade-Insecure-Requests: 1

This is triggered when the administrator opens the log view.
xss_stored

Cheers

patkon added a commit that referenced this issue Aug 14, 2017

@thefLink

This comment has been minimized.

Copy link
Author

commented Aug 14, 2017

That fixed the issue in one of your scripts, actually you have the same problem in 36 other files that are likely to be exploitable.

grep -r "PHP_SELF" | wc -l                                                                                                                                                               
36

Another thing in acp/core/user.list.php:

<a class='btn btn-primary' href='$_SERVER[PHP_SELF]?tn=user&sub=list&start=$next_start&sort=$_GET[sort]'>$lang[pagination_forward]</a>

Leads to two xss:

  1. By the php_self usage again
    /acp/acp.php/'><script>alert(123)</script>?tn=user
  2. By $_GET['sort']
    /acp/acp.php?tn=user&sub=list&start=0&sort=asdf'><script>alert(123)</script>'

Furthermore:
Can you confirm the stored xss mentioned above exists in version 1.4.6?

@patkon

This comment has been minimized.

Copy link
Member

commented Aug 15, 2017

Thank you for reporting. I will fix this as soon as possible and release 1.4.7

patkon added a commit that referenced this issue Aug 16, 2017

patkon added a commit that referenced this issue Aug 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.