Cross-site Scripting (XSS) - Reflected in falconchristmas/fpp
Valid
Reported on
May 12th 2021
✍️ Description
In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.php#L30 you echo unsanitied user input in two places :
<?php
if ((isset($_GET['scriptName'])) &&
(file_exists($scriptDirectory . "/" . $_GET['scriptName'])))
{
$script = $_GET['scriptName'];
$args = "";
if (isset($_GET['args']))
$args = $_GET['args'];
echo "Running $script $args<br><hr>\n"; // [1]
echo "<pre>\n";
system($SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args");
echo "</pre>\n";
}
else
{
?>
ERROR: Unknown script:
<?
echo $_GET['scriptName']; // [2]
}
?>
At |1] and [2] you echo on the page user input without sanitizing it, this leads to XSS.
🕵️♂️ Proof of Concept
Visit http://127.0.0.1/runEventScript.php?args=%3Cscript%3Ealert(%22zer0h%22)%3C/script%3E&scriptName=
💥 Impact
XSS
Occurrences
to join this conversation