Cross-site Scripting (XSS) - Reflected in erikdubbelboer/phpredisadmin

Valid

Reported on

Aug 23rd 2021

✍️ Description

The application is vulnerable to XFS attack.

🕵️‍♂️ Proof of Concept

Navigate to https://domain.tld/phpRedisAdmin/?https://www.eia.gov/state/maps

The page https://www.eia.gov/state/maps.php will be loaded in an iframe on the page.

💥 Impact

Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. This attack is usually only successful when combined with social engineering. An example would consist of an attacker convincing the user to navigate to a web page the attacker controls. The attacker’s page then loads malicious JavaScript and an HTML iframe pointing to a legitimate site. Once the user enters credentials into the legitimate site within the iframe, the malicious JavaScript steals the keystrokes.

Occurrences

index.php L1

References

Cross Frame Scripting

We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 2 years ago

Erik Dubbelboer marked this as fixed with commit e24eca 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We have contacted a member of the erikdubbelboer/phpredisadmin team and are waiting to hear back 2 years ago

Erik Dubbelboer marked this as fixed with commit e24eca 2 years ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation