Cross-site Scripting (XSS) - Generic in boxbilling/boxbilling
Reported on
Apr 17th 2021
✍️ Description
Xss via support ticket
🕵️♂️ Proof of Concept
login into your boxbilling account and create support ticket . put bellow xss payload in support ticket [click-me](javascript://%0d%0aalert(document.domain)) Now save the link and click the and see xss is executed
#Video Poc--> https://drive.google.com/file/d/1dfhfoP0D9fmU9G4b6Kv-2B5kSWQAJ8Rc/view?usp=sharing
💥 Impact
xss attack
I can't get to setup the test environment for boxbilling. Tried https://github.com/boxbilling/boxbilling#running-from-the-source-code and it's stuck at the final stage of installation. Then I tried docker, installation went okay, but can't load anything other than home page. Anybody to help?
The error i'm getting after the normal installation is syntax error, unexpected namespaced name "implements\IteratorAggregate", expecting "{"
@arjunshibu seems like you're using PHP 8. Supported versions are PHP 7.2=<x<8. Please downgrade and try to install again. Also, the Docker image is probably not synced with the master branch, please grab the source code from the master branch instead.
@arjunshibu
I have resolved the following mentioned error please pull the current master branch and try again.
The error i'm getting after the normal installation is syntax error, unexpected namespaced name "implements\IteratorAggregate", expecting "{"
@timothygwebb thanks. I resolved this issue and submitted a fix for the vulnerability. Please take a look🙂.