Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS on login page #718

Closed
Xitro01 opened this issue Nov 12, 2021 · 3 comments
Closed

XSS on login page #718

Xitro01 opened this issue Nov 12, 2021 · 3 comments

Comments

@Xitro01
Copy link

Xitro01 commented Nov 12, 2021
edited

Describe the bug/issue
The parameter data[performredirect] on the login page is vulnerable to XSS attacks.
This issue was found in the latest Docker package by jgeusebroek (jgeusebroek/docker-spotweb) and seems to involve the latest Spotweb 1.5.1 as random Spotweb servers on the internet are also vulnerable.

To Reproduce
Steps to reproduce the behavior:
Go to this URL: http://[ip]:[port]/?data[performredirect]=%22%3E%3Cscript%3Ealert(0)%3C/script%3E&page=login

Screenshots
XSS
@Xitro01 Xitro01 changed the title XSS on login page XSS on login page and other Apache security issues Nov 12, 2021
@Xitro01 Xitro01 mentioned this issue Nov 12, 2021
Closed
@Xitro01 Xitro01 changed the title XSS on login page and other Apache security issues XSS on login page Nov 12, 2021
Sweepr added a commit that referenced this issue Nov 13, 2021
@Sweepr
Update SpotPage_login.php
2bfa001 
For for issue: #718
@Sweepr Sweepr mentioned this issue Nov 13, 2021
Merged
@Sweepr Sweepr closed this as completed Nov 13, 2021
GeoffreyDijkstra pushed a commit to GeoffreyDijkstra/spotweb that referenced this issue Oct 2, 2022
@Sweepr @GeoffreyDijkstra
Update SpotPage_login.php
cedcfb2 
For for issue: spotweb#718
@Xitro01
Copy link
Author

Xitro01 commented Jun 22, 2023
edited

Schermafbeelding 2023-06-22 125944

I'm afraid that it's still possible. I get the "Script is not allowed" alert, but after that it will simply execute my XSS.

I'm using the following payload:
http://192.168.1.7:8081/?data[performredirect]=%22%3E%3Cscript%3Ealert(document.location)%3C/script%3E&data[renderhtml]=1&loginform[http_referer]=https%3a%2f%2f192.168.1.7%3a8081%2f%3f&page=login&loginform[xsrfid]=1687430765%3aloginform%3a1%3acf7767e526ef26267fa6e655d069f16a653fe95f&loginform[username]=&loginform[submitlogin]=Login&loginform[password]=

My advice:
User input must be HTML encoded at every point where it is copied into the application's response. All HTML characters, including <> "" 'and =, must be replaced with corresponding HTML entities (< > etc).

@mesa57
Copy link
Collaborator

mesa57 commented Jun 22, 2023

Feel free to submit a PR

@Xitro01
Copy link
Author

Xitro01 commented Jun 22, 2023

Feel free to submit a PR

To be honest, I would if I could. Yet I spend hours and hours developing my offensive security skillset and little time in my programming skills. Despite that I still felt it was my duty to report this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Sweepr @mesa57 @Xitro01