Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

Jun 26th 2021


✍️ Description

?tab= parameter is vulnerable to Cross Site Scripting. Line 1974 of backup.php sends unvalidated data to a web browser, which can result in the browser executing malicious code of XSS.

🕵️‍♂️ Proof of Concept

POC SCREENSHOT: https://drive.google.com/file/d/1PLPST2oUY96EeOhF2kfV2ZpK_OVrN2K8/view?usp=sharing

  1. Just visit /settings.php?tab=</script><script>alert(1) and XSS will be pop up.

Vulnerable Code

<?php
# reading unvalidated user input from GET request and assiging it to "tab" parameter.
    if (isset($_GET['tab']))
# print the javascript output to the end user
        print $_GET['tab'];
    else
        print "0";
?>;

💥 Impact

The attacker can:

  1. Perform any action within the application that the user can perform.
  2. View any information that the user is able to view.
  3. Modify any information that the user is able to modify.
  4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

References

We have contacted a member of the falconchristmas/fpp team and are waiting to hear back a year ago
Greg Hormann validated this vulnerability a year ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Hormann marked this as fixed with commit 244e8f a year ago
Greg Hormann has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation