Cross-site Scripting (XSS) - Reflected in erikdubbelboer/phpredisadmin

Valid

Reported on

Aug 23rd 2021


✍️ Description

The application is vulnerable to XFS attack.

🕵️‍♂️ Proof of Concept

Navigate to https://domain.tld/phpRedisAdmin/?https://www.eia.gov/state/maps

The page https://www.eia.gov/state/maps.php will be loaded in an iframe on the page.

💥 Impact

Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker’s page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.

Occurences

We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 3 months ago
Erik Dubbelboer confirmed that a fix has been merged on e24eca 3 months ago
The fix bounty has been dropped