Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, there are 2 potential reflected XSS in https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/restartRemoteFPPD.php#L16 :

$ip = $_GET['ip'];

/**/
if (isset($_GET['mode'])) {
    echo "Setting FPPD mode @ $ip\n";
    /**/
}

echo "Restarting FPPD @ $ip\n";

The ip variable is reflected without any sanitization.

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/restartRemoteFPPD.php?ip=%3Cscript%3Ealert(%27zer0h%27)%3C/Script%3E or visit the same URL and add &mode=

💥 Impact

XSS