Stored XSS on entire Client site in fossbilling/fossbilling
Jun 15th 2023
Admin or Staff with "System" permission can produce a store XSS on entire Client site
Proof of Concept
Edit the "Signature" field to this value "FOSSBilling.org - Client Management, Invoice and Support Software"><img src=x onerror=alert(document.domain)>"
Then it will trigger in every Client screens
Seems like it was rendered to the footer
Since the cookie used for sessions was set with the "HTTPonly" attribute, so the attacker can not hijack user sessions but still can carry out some malicious actions by manipulating XSS vulnerabilities, such as:
- Users are being redirected to a malicious website.
- Capturing keystrokes from users.
- Obtaining access to a user’s browsing history and clipboard contents.
- Execution of web browser-based exploits (e.g., crashing the browser).
- Influencing the users to submit requests to a server controlled by the attacker.
- Modifying the page’s content.
- Using deception to trick the victim into disclosing their password to the application or other applications.
- Using a security vulnerability in the web browser, infecting the victim with other malicious code, and potentially taking over the victim’s computer.