Hi Team,
I was looking around in your app and on the log part (accessed by the admin), I noticed that the log file is downloaded as an HTML file. Naturally I started trying to inject code I noticed that when HTML code is inserted, a HTML comment start tag is inserted. But I was able to bypass this protection by inserting a comment end tag and then the HTML code, which resulted in HTML injection.
To reproduce this behaviour I started looking where a user is able to inject data onto the log file, and I noticed that when the “Host” header is different from the one configured for the app, a warning is injected onto the app. There likely many other sections that could serve to inject into the log, but I’ve just started to analyze the app so I couldn’t find any yet.
Proof of Concept:
Why is this a vulnerability?
A malicious individual could use this to execute malicious code on an administrator that happened to open the downloaded Log file.
How to fix?: We can defeat this attack by adding an additional filter on the log file which escapes html special characters.
I’m sending a couple of screenshots. I’ll keep digging and if I find anything else I’ll send you another report.
Kind Regards,
Apok.