Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp

Valid

Reported on

Jun 26th 2021


✍️ Description

?tab= parameter is vulnerable to Cross Site Scripting. Line 1974 of backup.php sends unvalidated data to a web browser, which can result in the browser executing malicious code of XSS.

🕵️‍♂️ Proof of Concept

POC SCREENSHOT: https://drive.google.com/file/d/1PLPST2oUY96EeOhF2kfV2ZpK_OVrN2K8/view?usp=sharing

  1. Just visit /settings.php?tab=</script><script>alert(1) and XSS will be pop up.

Vulnerable Code

<?php
# reading unvalidated user input from GET request and assiging it to "tab" parameter.
    if (isset($_GET['tab']))
# print the javascript output to the end user
        print $_GET['tab'];
    else
        print "0";
?>;

💥 Impact

The attacker can:

  1. Perform any action within the application that the user can perform.
  2. View any information that the user is able to view.
  3. Modify any information that the user is able to modify.
  4. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

References

We have contacted a member of the falconchristmas/fpp team and are waiting to hear back 5 months ago
Greg Hormann validated this vulnerability 5 months ago
Akshay Jain has been awarded the disclosure bounty
The fix bounty is now up for grabs
Greg Hormann confirmed that a fix has been merged on 244e8f 5 months ago
Greg Hormann has been awarded the fix bounty