Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, few days ago I reported this vulnerability : https://huntr.dev/bounties/8-other-FalconChristmas/fpp/

There were 2 XSS vectors in https://github.com/FalconChristmas/fpp/blob/f032d800a67ed280f8d577d95519a71c95114579/www/runEventScript.php#L41 :

<?php
if ((isset($_GET['scriptName'])) &&
    (file_exists($scriptDirectory . "/" . $_GET['scriptName'])))
{
    $script = $_GET['scriptName'];

    $args = "";
    if (isset($_GET['args']))
        $args = $_GET['args'];

    echo "Running $script $args<br><hr>\n"; // [1]
    /**/
}
else
{
?>
ERROR: Unknown script:
<?
    echo $_GET['scriptName']; // [2]
}
?>

The commit : https://github.com/FalconChristmas/fpp/commit/f032d800a67ed280f8d577d95519a71c95114579 only dealt with the vector [1] not the vector [2]. After your fix, a reflected XSS attack was still possible because $_GET['scriptName'] is still reflected without sanitization.

🕵️‍♂️ Proof of Concept

Update fpp and visit http://127.0.0.1/runEventScript.php?scriptName=%3Cscript%3Ealert(%27zer0h%27)%3C/script%3E

💥 Impact

XSS