Cross-site Scripting (XSS) - Reflected in dmpop/mejiro

Valid

Reported on

Oct 13th 2021


Description

From OWASP : : Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script.

This report is a bypass of this report

Proof of Concept

Impacted GET variable : d & photo

http://0.0.0.0/mejiro/index.php?d=%3Cimg%20src=x%20onerror=alert(1)%20/%3E
http://0.0.0.0/mejiro/index.php?all=1&photo=%22%3E%3Cimg%20src%3da%20onerror%3dalert(1)%3E&d=

Impact

  • Cookie theft: Stealing the victim's cookie in order to access their account;
  • Phishing: Rewriting the DOM of the page or redirecting the victim to a malicious site;
  • Screenshot: Use HTML5 features to make a screenshot of the page from victim PoV;

Remediation

Use htmlentities()

We have contacted a member of the dmpop/mejiro team and are waiting to hear back 2 months ago
JoMar modified their report
2 months ago
JoMar modified their report
2 months ago
JoMar modified their report
2 months ago
JoMar submitted a
2 months ago
JoMar modified their report
2 months ago
JoMar modified their report
2 months ago
JoMar submitted a
2 months ago
Dmitri Popov validated this vulnerability 2 months ago
JoMar has been awarded the disclosure bounty
The fix bounty is now up for grabs
Dmitri Popov
2 months ago

Maintainer


I'm too stupid to figure out how to fix the code. Any suggestion will be greatly appreciated.

JoMar
2 months ago

Researcher


Hi, I've joined a fix with the report :)

JoMar
2 months ago

Researcher


In case you don't see it : https://github.com/dmpop/mejiro/compare/HEAD...joshuamart:fix_xss

Dmitri Popov
2 months ago

Maintainer


Ah! I've merged your changes into my repo. Thank you so much for your help!

Dmitri Popov confirmed that a fix has been merged on 4e8782 2 months ago
JoMar has been awarded the fix bounty
index.php#L360 has been validated
index.php#L102 has been validated
JoMar
2 months ago

Researcher


You welcome

JoMar
2 months ago

Researcher


@admin As seen with Dmitri Popov the 0$ bounty is a mistake but he doesn't know how to change it, not having this point of view I can't help him, can you please tell him? thank's

Jamie Slome
2 months ago

Admin


@maintainer - can you please confirm you are happy to reward the full disclosure bounty?

Dmitri Popov
2 months ago

Maintainer


@admin Yes, I confirm that I'd like to reward the full disclosure bounty.

Jamie Slome
2 months ago

Admin


Sorted! ♥️ 💰

JoMar
2 months ago

Researcher


Thank's guys :)