Cross-site Scripting (XSS) - Reflected in FalconChristmas/fpp

Valid
Reported on May 12th 2021

✍️ Description

In https://github.com/FalconChristmas/fpp/blob/123cdf2eb11062766da333a7a4d85bc0bf620e47/www/runEventScript.php#L30 you echo unsanitied user input in two places :

<?php
if ((isset($_GET['scriptName'])) &&
    (file_exists($scriptDirectory . "/" . $_GET['scriptName'])))
{
    $script = $_GET['scriptName'];

    $args = "";
    if (isset($_GET['args']))
        $args = $_GET['args'];

    echo "Running $script $args<br><hr>\n"; // [1]
    echo "<pre>\n";
    system($SUDO . " $fppDir/scripts/eventScript $scriptDirectory/$script $args");
    echo "</pre>\n";
}
else
{
?>
ERROR: Unknown script:
<?
    echo $_GET['scriptName']; // [2]
}
?>

At |1] and [2] you echo on the page user input without sanitizing it, this leads to XSS.

🕵️‍♂️ Proof of Concept

Visit http://127.0.0.1/runEventScript.php?args=%3Cscript%3Ealert(%22zer0h%22)%3C/script%3E&scriptName=

💥 Impact

XSS