Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling

Valid

Reported on

Apr 17th 2021


✍️ Description

Xss via support ticket

🕵️‍♂️ Proof of Concept

login into your boxbilling account and create support ticket . put bellow xss payload in support ticket [click-me](javascript://%0d%0aalert(document.domain)) Now save the link and click the and see xss is executed

#Video Poc--> https://drive.google.com/file/d/1dfhfoP0D9fmU9G4b6Kv-2B5kSWQAJ8Rc/view?usp=sharing

💥 Impact

xss attack

Arjun Shibu
a year ago

I can't get to setup the test environment for boxbilling. Tried https://github.com/boxbilling/boxbilling#running-from-the-source-code and it's stuck at the final stage of installation. Then I tried docker, installation went okay, but can't load anything other than home page. Anybody to help?

Arjun Shibu
a year ago

The error i'm getting after the normal installation is syntax error, unexpected namespaced name "implements\IteratorAggregate", expecting "{"

Yağızhan
a year ago

@arjunshibu seems like you're using PHP 8. Supported versions are PHP 7.2=<x<8. Please downgrade and try to install again. Also, the Docker image is probably not synced with the master branch, please grab the source code from the master branch instead.

Timothy Webb Sr
a year ago

@arjunshibu

I have resolved the following mentioned error please pull the current master branch and try again.

The error i'm getting after the normal installation is syntax error, unexpected namespaced name "implements\IteratorAggregate", expecting "{"

Timothy Webb Sr
a year ago

@ranjit-git

Please see my comment below.

Arjun Shibu
a year ago

@timothygwebb thanks. I resolved this issue and submitted a fix for the vulnerability. Please take a look🙂.

to join this conversation