Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 29th 2021

✍️ Description

Hi, In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/virtualdisplay.php#L14 you create a variable canvasWidth that will be used and reflected multiple times without sanitizing user input :

<?php
require_once('config.php');
require_once('common.php');

// 16:9 default aspect but smaller by default
$canvasWidth = 800;
$canvasHeight = 450;

if (isset($_GET['width']))
{
    $canvasWidth = $_GET['width'];//XSS here
    $canvasHeight = (int)($canvasWidth * 9.0 / 16.0);
}
?>

Later in the script : another PHP file will be called :

require_once('virtualdisplaybody.php');

This file will echo the $canvasWidth variable twice in lines L85 and L195 :

var canvasWidth = <? echo $canvasWidth; ?>;
/**/
<canvas id='vCanvas' width='<? echo $canvasWidth; ?>' height='<? echo $canvasHeight; ?>'></canvas></td>

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/virtualdisplay.php?width=1337;alert(%27zer0h%27) to exploit the 1st reflection

💥 Impact

XSS